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1  Labels  and  Policies 


We  use  labels  to  specify  information  flow  policies.  We  first  introduce  the  syntax  of  labels  and  operations  on  labels. 
Then,  we  discuss  how  these  labels  can  be  used  to  implement  various  policies  present  in  browsers  today. 


1.1  Syntax  of  Labels 

An  information  flow  label,  written  (S, I,  D),  is  composed  of  a  secrecy  label  S,  an  integrity  label  /,  and  a  declassifica¬ 
tion  label  D.  The  syntactic  constructs  used  in  defining  labels  are  summarized  below. 


Label 

i 

Simple  Label 

K 

Secrecy  label 

S 

Secrecy  tags 

a 

Secrecy  tag 

s 

Principal 

prin 

Integrity  label 

I 

Integrity  tag 

i 

Declassification  tags 

D 

Declassification  tag 

d 

(S,I,D) 

(a,  i) 

C'(cr)  |  F(a,a) 

{si  j  •  •  ■  j  Sji} 

prin  |  url.prin  \  *u  .prin  \  \.prin 
id  ext  |  user  |  *p 
{ir ,  •  •  • ,  im  } 

API 

{  dr , •  •  • ,  dn  } 

-s  |  +  i  |  s  ->•  s'  |  i  ->  i' 


Basic  labels  The  basic  secrecy  label  is  a  set  of  secrecy  tags  {si, . . . ,  sn } .  Each  secrecy  tag  represents  an  origin 
of  a  secret.  We  treat  the  hostname  parts  of  URLs,  extension  IDs,  and  the  user  operating  the  browser  (notated  as 
the  tag  user)  as  origins.  The  integrity  label  is  a  set  of  integrity  tags  {ix, . . .  ,in}-  Each  integrity  tag  represents  the 
privilege  to  access  a  sensitive  resource  (namely,  APIs).  Even  though  these  tags  are  reminiscent  of  permissions,  our 
enforcement  mechanism  treats  them  in  such  a  way  that  it  can  prevent  the  privilege  escalation  that  commonly  occurs 
in  permission-based  systems.  The  declassification  label  is  a  set  of  capabilities  for  endorsement  (+*),  declassification 
(— s),  and  reclassification  (si  — >  s2,  ii  — >  *2);  we  explain  these  later. 

A  simple  label  k  is  a  pair  of  a  set  of  secrecy  tags  a  and  a  set  of  integrity  tags  l. 

Ignoring  declassification,  an  entity  labeled  (Si,  Ii,  {})  can  send  data  to  an  entity  labeled  (62,  h,  {})  if  Si  C  S2 
(the  destination  is  authorized  for  at  least  as  many  secrets  as  the  source)  and  7i  D  I2  (the  source  has  at  least  as  many 
“permissions”  as  the  destination). 

For  example,  a  DOM  subtree  that  represents  content  loaded  from  ad.com  would  have  a  label  that  includes  the 
secrecy  tag  ad 1 ;  APIs  that  allow  extensions  to  access  the  browser’s  local  storage  have  labels  that  include  a  localStorage 
integrity  tag.  Data  from  a  script  labeled  ({cnn,  ad},  {},  {})  wouldn’t  be  allowed  to  flow  to  a  DOM  node  labeled 
({cnn},  {},  {})  because  the  latter  is  permitted  fewer  secrets  (e.g.,  isn’t  permitted  secrets  labeled  ad). 


Floating  labels  The  basic  secrecy  label  is  too  rigid  to  allow  entities  to  adapt  to  the  browser’s  dynamic  environment. 
E.g.,  the  label  of  a  DOM  node  on  a  cnn.com  page  might  initially  contain  only  a  cnn  secrecy  tag  to  reflect  that  it 
contains  information  from  cnn .  com;  after  a  password  manager  fills  in  a  form  field  on  the  page,  however,  the  label  of 
the  form  field’s  DOM  node  needs  to  change  to  reflect  that  it  also  contains  information  from  another  source. 

We  express  the  policy  that  allows  dynamic  tainting  of  an  entity  as  a  floating  secrecy  label.  This  is  similar  to  JIF’s 
parametric  labels.  A  floating  secrecy  label,  written  F(<Ji,  a2),  has  two  components:  <7\  is  the  set  of  secrecy  tags  that 
the  entity  has  at  initialization  time;  <72  is  a  ceiling  (upper  limit)  of  the  secret  that  this  entity  can  be  tainted  with.  In 
other  words,  a  secrecy  label  F(ax,  a 2)  can  float  to  F(a(,  a 2)  as  long  as  a'x  C  02- 

This  is  useful  when  we  want  to  prevent  information  from  reaching  an  entity.  For  example,  a  floating  secrecy 
label  of  the  form  .F({siteA},  {siteA,  siteB})  indicates  that  the  labeled  entity  possesses  siteA  secrets  and  is  willing  to 

'For  brevity,  we  write  ad  instead  of  ad.com  throughout. 
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receive  siteB  secrets.  Its  label  will  then  change  to  F({siteA,  siteB},  {siteA,  siteB}),  continuing  to  protect  the  siteB 
secret.  To  clearly  distinguish  floating  labels  from  ordinary  ones,  we  henceforth  write  non-floating  secrecy  labels  as, 
e.g.,  C({siteA}). 

Compound  labels  Going  back  to  the  password  example,  the  password  field  is  owned  by  cnn .  com,  but  can  be 
written  to  by  the  user  or  an  extension.  We  would  want  both  labels,  as  both  secrets  are  involved,  but  we  may  want  to 
maintain  the  notion  of  a  primary  owner,  for  purposes  that  we  will  shortly  show.  To  this  end,  we  introduce  dot-separated 
compound  tags:  S1.S2  indicates  that  si  is  the  primary  owner  of  the  data. 

Returning  to  our  example,  the  secrecy  tag  cnn. user  would  be  part  of  the  label  of  a  DOM  node  originally  loaded 
from  cnn.com  (hence  cnn)  at  the  user’s  behest  (hence  user),  e.g.,  if  the  tab  was  opened  and  the  URL  typed  in  by 
the  user.  More  concretely,  nodes  in  the  DOM  of  the  cnn .  com  page  would  initially  be  labeled  with  the  secrecy  tag 
T’dcnn.user},  {cnn.*});  the  {cnn.*}  ceiling  indicates  that  it  is  OK  for  the  node  to  be  tainted  (repeatedly)  with  secrets 
of  all  entities  whose  secrecy  label  has  the  form  {cnn.*}.  In  contrast,  F({},  {{.user})  means  that  an  entity  with  that 
label  can  be  tainted  exactly  once,  e.g.,  to  ^({cnn.user},  {cnn. user}).  This  label  is  suitable  for  content  scripts,  which 
are  injected  into  multiple  pages,  but  any  script  instance  is  injected  into  exactly  one  page. 

One  purpose  for  compound  labels  is  to  allow  labels  to  reflect  which  entities  influenced  the  content,  while  retaining 
the  ability  to  leave  a  specific  entity  in  control  of  the  content.  For  example,  we  may  choose  to  allow  requests  to 
send  requests  to  cnn .  com  only  if  they  are  compatible  with  the  destination  label  ((^({cnn.*}),  {network},  {}),  which 
concisely  expresses  the  policy  that  only  cnn .  com  pages  are  allowed  to  make  requests  to  cnn .  com,  and  that  they  can 
do  so  even  if  their  content  has  absorbed  input  from  the  user  or  other  entities  (e.g.,  they  include  a  secrecy  tag  like 
cnn. user).  Similar  policies  can  be  expressed  with  declassification,  which  we  discuss  next. 

Declassification,  reclassification,  and  endorsement  Declassification  and  endorsement  capabilities  allow  an  entity 
(e.g.,  an  extension  core)  to  circumvent  constraints  that  it  would  otherwise  incur  because  of  its  secrecy  and  integrity 
tags.  Declassification  is  a  powerful  (and  dangerous)  operation,  and  declassification  capabilities  should  be  granted  to 
entities  only  judiciously.  At  the  same  time,  declassification  is  necessary,  since  some  extensions,  like  the  password 
manager,  collect  many  secrets,  yet  their  functionality  requires  that  they  (selectively)  copy  those  secrets  into  arbitrary 
web  pages. 

In  our  password  manager  example,  the  extpw(jMgr  core  has  the  —  *  .extpwc|  capability.  This  is  to  ensure  that  no 
matter  how  many  secrecy  tags  like  someSite.extpw(j  it  accumulates  in  its  secrecy  label  as  a  result  of  saving  passwords, 
it  is  still  able  to  send  data  (passwords)  to  individual  web  pages  (e.g.,  cnn .  com).  Without  declassification,  those  secrecy 
tags  in  extpWdMgr’s  label  would  normally  cause  the  label  check  to  fail,  since  the  same  tags  are  not  present  in  cnn .  corn’s 
secrecy  tag,  including  its  ceiling.  Declassification  (and  reclassification  and  endorsement)  are  used  only  when  a  label 
check  would  otherwise  fail;  they  don’t  affect  an  entity’s  secrecy  and  integrity  tags  beyond  the  label  check. 

Reclassification  is  a  weaker  form  of  declassification:  the  si  —y  Sn  reclassification  tag  indicates  that  a  secrecy  tag  si 
can  be  converted  (for  the  purpose  of  a  label  check)  to  a  secrecy  tag  s-2- 

Endorsement  tags  are  similar  to  declassification  tags.  To  protect  the  local  storage  API,  we  give  the  API  the  integrity 
label  {localStorage};  only  entities  that  have  localStorage  in  their  integrity  label,  or  can  add  it  via  endorsement,  can 
use  it.  Hence,  we  give  the  extpw(jMgr  c°re  the  +localStorage  capability,  allowing  it  to  elevate  its  privileges  sufficiently 
to  use  the  local  storage  API  is  needed.  As  with  de-  and  reclassification,  endorsement  only  enables  a  label  check  to 
succeed,  and  has  no  persistent  effect  on  the  integrity  tags  in  a  label. 

1.2  Basic  Label  Operations 

Our  enforcement  mechanism  uses  a  set  of  label  operations  to  compute  labels  for  components  and  make  policy  deci¬ 
sions. 
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Plain  erasure 


F(a1,a2) 


Floated  erasure 

Taint 

Merge 
Add  Ceiling 
Generate  Lab  From 


C(a)- 
( S,I,D)~ 

C{a)* 

( S,I,D )* 
a  >tnt  C(a') 

(cr,  (,)  >tnt  (-S',  I,  D) 
(cti,  ti)  Wm  (ct2,  (-2) 

labFrom(prin) 


= 

=  (S*,I) 

=  C(o’) 

—  int  S',  T,  D 
=  (a  1  U  (J2,  (-1  fit; 

=  (F(a,T),t,{}) 
=  ({prm},{}) 


^Vl,cr2)* 
cr  >tnt  F(ox ,  (T2) 


0-1 


(T 1  U  CT2 


F(a  U  (Ji,  cr2) 


The  erasure  operation  t  removes  the  declassification  capabilities  and  returns  the  current  secrecy  and  integrity 
labels  of  £.  Similar  to  £~,  function  l*  also  removes  the  declassification  capabilities  from  t.  The  difference  is  that  £* 
computes  the  largest  set  of  secret  tags  that  a  component  with  £  can  be  tainted  with. 

Next,  we  define  a  tainting  operation  (tr,  t)  [>tnt  (S,  /,  D )  that  adds  0  to  the  secrecy  tags  of  S,  if  S  is  floating.  This 
operation  is  only  used  when  the  tainting  does  not  exceed  the  ceiling  of  S.  This  operation  is  used  to  generate  labels 
for  components.  For  instance,  when  an  event  handler  receives  an  event,  the  event  handler’s  label  is  tainted  with  the 
event’s  label. 

Simple  labels  form  a  lattice  (£,  E)  ,  where  £  is  a  set  of  simple  labels  and  C  is  a  partial  order  over  simple  labels. 
Intuitively,  the  more  secrecy  tags  a  component  has,  the  more  secrets  it  can  gather,  and  the  fewer  components  it  can 
send  data  to.  The  fewer  integrity  tags  a  component  has,  the  fewer  APIs  it  can  access,  and  the  more  components  it  can 
receive  data  from.  The  partial  order  over  simple  labels  is  defined  as  follows: 

Definition  1  (Label  order).  E  (ct2,  l2)  iff  Vs  €  ax,  3s'  €  tr2  s.t.  s  <  s'  and  t2  C  tx. 

For  integrity  labels,  we  can  do  a  simple  subset  comparison.  For  secrecy  tags  we  use  another  relation,  .S  |  <  s2,  to 
compare  individual  tags.  It  is  defined  as  follows: 


Si  <  s2  if  < 


si  =  s2 

si  =  url  and  s2  G  {*„,  f} 

Si  =  prin  and  s2  =  *p 
s2  =  sa-sb  and  Si  <  sa 
Si  =  sa.sb ,  s2  =  s'a.s'b,  sa  <  s'a  and  sb  <  s'b 


The  <  relation  is  reflexive.  The  wildcard  is  higher  than  a  concrete  label.  sa  is  lower  than  the  compound  label  sa.sb. 
We  do  not  include  a  rule  for  sb  <  sa.sb,  because  a  component  with  label  sb  may  generate  information  independent  of 

Assume  that  component  A  has  label  t  ,\  and  B  has  £ />.  Each  time  information  flows  from  component  A  to  B,  our 
enforcement  mechanism  checks  whether  B’s  label  allows  B  to  learn  all  the  secrets  A  knows.  Formally:  £a  E  £b* ■ 
If  the  check  succeeds,  B’s  label  is  updated  to  £a~  \>tnt  £ n • 

Our  enforcement  mechanism  checks  labels  before  web  requests  or  data  are  sent  to  remote  servers.  We  define 
NetDeclassify(n ,  url)  to  decide  whether  data  (web  requests)  with  label  (a,  l)  can  be  sent  to  url  as  follows. 


NetDeclassify((a ,  t),  url) 


allowed  if  Vs  G  tr,  s  =  url. s'  or  url 
disallowed  otherwise 


Declassification  capabilities  are  exercised  when  components  make  API  calls.  We  define  £  =>  n  to  mean  that  by 
raising  or  declassifying  £  we  can  obtain  n. 
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I  =>  j  K 


Ms  €  a' ,  3d\,  ■  ■  ■ 
or  3di,  ■  ■ 

,dncD  s.t.  Mj  £  [1,  n],dj  =  Sj  — ►  Sj+i  and  si  =  s,  sn+i  £  a 
■  ■  ,dn  £  D  s.t.  Mj  £  [1,  n  —  1],  dj  =  Sj  — >  Sj+i  and  si  =  s,dn  =  —  sn 

(C(cr'),  t,  D)  =>s  (cr,  t) 

Vs  £  cr  1 , 3d\ ,  •  •  • 
or  3di,  ■  ■ 

,dn  £  D  s.t.  V)  £  [1,  n],dj  =  Sj  — ►  Sj+i  and  si  =  s,  sn+i  £  cr 
■  •  ,dn  £  D  s.t.  Mj  £  [1,  n  —  1],  dj  =  Sj  —y  Sj+i  and  si  =  s,dn  =  —sn 

(F(ai,a2),i1D)  =>s  (cr,  z.) 

Vi  £  l,  3di,  ■  ■  ■ 
or  3d\, 

,dn  £  D  s.t.  Mj  £  [1,  n\,dj  =  ij  —>  ij+i  and  in+ 1  =  i,i\  £  t! 

*  *  * ,  dn  £  D  s.t.  Mj  £  [2,  nj,  dj  —  ij  — ^  ij-yi  and  in+i  =  i>  d\  —  T'G 

(S,t',D)  =>j  (cr,  i) 


1.3  Label  Composition 

A  webpage  is  composed  of  components  from  different  origins.  Each  component  comes  with  its  own  information  flow 
policy.  For  instance,  an  extension’s  content  script’s  policy  is  specified  in  the  manifest  file  of  that  extension.  When 
the  content  script  is  injected  into  a  page,  the  hosting  page  has  its  own  information  flow  policies,  which  may  include 
policies  regarding  allowed  information  flows  between  the  injected  script  and  its  surrounding  environment.  This  is 
where  policy  composition  is  necessary. 

There  are  two  situations  where  such  policy  composition  needs  to  be  considered:  (1)  a  host  webpage  includes 
external  resources  such  as  scripts  (including  content  scripts  from  extensions)  and  images;  and  (2)  a  host  page  embeds 
another  page  in  an  iframe  or  an  extension  injects  an  iframe  into  a  host  page. 

As  there  are  multiple  ways  to  compose  policies,  we  provide  a  notion  of  generalized  CSP  (GCSP),  which  allows 
a  page  to  specify  how  to  compose  the  page’s  policy  with  that  of  the  external  resources.  Here,  external  resources 
include  both  page  resources  and  content  scripts.  We  provide  four  pre-defined  composition  operations:  (1)  allow  flows 
allowed  by  either  policy,  (2)  the  page’s  policy  overrides  the  external  resource’s  policy,  (3)  the  external  resource’s  policy 
overrides  the  page’s  policy,  and  (4)  allow  flows  allowed  by  both  policies. 

GCSP  Syntax  Each  generalized  CSP  item,  denoted  x,  maps  a  principal  to  a  pair  of  an  integrity  policy  and  a  natural 
number  indicating  which  composition  rules  to  use  to  compute  the  secrecy  label.  Below  are  the  definitions. 

Integrity  Pol  00  ::=  ■  \  \F(APIi,  ■  ■  ■  ,  APIn) 

|  \FD(APh,---,APIn)  |wi,wa 
GCSP  %  '■’■=  '  I  X:Pr*n  ^  (w, «) 

GCSP  uses  a  natural  number  to  index  the  compositions.  (1)  simply  takes  the  union  of  the  secrecy  labels,  and  thus 
allows  the  content  script  to  learn  the  secrets  of  the  DOM  and  secrets  allowed  in  its  manifest  file.  (2)  allows  the  DOM’s 
policy  to  override  the  extension’s  policy.  (3)  allows  extension’s  policy  to  override  the  DOM’s  policy.  (4)  is  a  strict 
composition  policy  that  takes  the  intersection  of  the  policies.  If  the  intersection  is  empty,  we  do  not  inject  the  script. 

The  integrity  policy  is  used  to  specify  which  interfaces  the  external  scripts  can  have  access  too.  The  effect  of 
IF(APIs)  is  that  the  external  script  has  the  API  names  in  APIs  in  its  integrity  label.  This  allows  the  script  to  access 
the  APIs,  but  prevents  the  script  from  receiving  any  data  from  a  component  that  cannot  access  these  APIs.  Therefore, 
we  prevent  privilege  escalation.  The  effect  of  I F  D  ( ,4  Pis )  is  that  the  external  script  has  the  endorsement  of  API  names 
in  APIs  in  its  declassification  label.  This  is  closer  to  having  the  permission  to  access  the  APIs.  Using  endorsement 
capabilities,  the  external  script  can  launder  data  for  other  components. 
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Label  composition  functions  Next  we  formally  define  the  two  label  composition  functions,  one  for  page  resources 
such  as  content  scripts,  page  scripts,  and  images;  and  the  other  for  iframed  pages. 

computeResLab  (url ,  Kd,  x,  prin)  Computes  an  external  resource’s  label  based  on  url,  k,j,  x,  and  t.  url,  Kd,  and 
X  are  the  host  page/document’s  URL,  simple  label,  and  GCSP  respectively.  If  the  external  resource  is  a  content 
script,  l  denotes  the  content  script’s  initial  label.  If  the  external  resource  is  an  image  or  other  object  loaded  from 
an  external  URL,  i  is  the  resource  label  computed  from  its  URL. 

The  function  computeResLab  (url,  Kd,  X,  t)  works  as  follows.  Suppose  Kd  =  ( <Jd ,  Id)  and  £  =  (F(a i,  0-2)1  I,  D). 
Let  (lu.  n )  denote  the  composition  policy  for  prin  based  on  X-  The  function  computes  a  secrecy  label  a'  using 
computeResLab  s  (url,  ad,  F(a  1,0-2)),  an  integrity  label  /'  using  computeResLab I  (oj,  I),  and  an  endorse¬ 
ment  label  D'  using  computeResLab Dn  ( oj ,  D)  .  The  function  outputs  a  label  I!  =  (a' ,  V ,  D'). 

Before  defining  computeResLab s  (url,  ad,  F(a\,  0-2)),  we  define  an  operation  that  instantiates  the  secrecy 
label  of  a  content  script  to  a  specific  URL.  If  the  external  resource  is  a  content  script,  its  initial  label  will  contain 
some  f  .s  tags.  For  a  secrecy  tag  with  the  form  f  .s,  the  operation  url  >-  f  .s  instantiates  f  .s  to  url.s.  For  a  secrecy 
tag  that  does  not  contain  f,  url  >~  s  is  still  s. 


url  >-  s  = 


url.s'  if.s  =  f.s' 
s  otherwise 


In  the  following,  we  define  the  function  computeResLab sn(url ,  ad,  F(a  1, 0-2)). 


Allowed  by  either 
Allowed  by  CS’s  manifest 
Allowed  by  DOM’s  label 
Stricter  of  CS  and  DOM 


computeResLab  Si(url,  a  d,F  (a  i,a2))  =  F(ai,adU  (url  >~  0-2)) 
computeResLab s  (url,  ad,  S)  =  url  >~  S 
computeResLab  g3(url ,  ad,  F  (a±,  02))  =  F(-,ad ) 
computeResLab  s  (url,  ad,  F(a\,  02))  =  F(a\  C^ad,adF  (url  >~  02)) 


Then  we  define  the  function  computeResLab j  (co,  /),  where  oj  =  (IF(ti),  IFD(t2)) 
=  (IF (APIai,-  ■  • ,  APIan),  IFD (APIbl,-  ■  ■ ,  APIbm)). 


Allowed  by  either 
Allowed  by  CS’s  manifest 
Allowed  by  DOM’s  label 
Stricter  of  CS  and  DOM 


computeResLab  j  (to,  I)  =  IF(t-i)  U  / 
computeResLab  j  (ui ,  I)  =  I 
computeResLab  j  (ui,  I)  =  IF(tj_) 
computeResLab  j  (ui ,  I)  =  IF(ti)  (T  / 


Last,  we  define  the  function  computeResLab Dn  (u,  D ),  where  co  is  decomposed  as  above.  We  write  +l  to  denote 
the  set  of  endorsement  capabilities  obtained  from  the  set  of  integrity  tags  1. 


Allowed  by  either 
Allowed  by  CS’s  manifest 
Allowed  by  DOM’s  label 
Stricter  of  CS  and  DOM 


computeResLab D  (oj ,  D)  =  +IFD(i2)  U  D 
computeResLab Do(u) ,  D)  =  D 
computeResLab Ds(oj ,  D)  =  +IFD(i2) 
computeResLab Di(uj ,  D )  =  +IFD(i2)  D  D 


computeFrameLab(£i,(.2,X^Pr''‘n)  Computing  a  framed  page’s  label  based  on  the  frame’s  policy  and  the  page’s 
policy.  The  label  composition  functions  for  iframed  pages  are  similar.  Unlike  content  scripts,  the  label  does  not 
need  to  be  instantiated  by  the  host  page’s  URL;  and  therefore  the  composition  function  takes  the  label  of  the 
iframe  and  the  label  of  the  embedded  page  as  inputs. 

Suppose  i\  =  (F(a1,a2),h,D1),£2  =  (F(aa,  ab),  I2,  D2),  then 
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Allowed  by  either 
Allowed  by  embedded  page’s  label 
Allowed  by  parent’s  policy 
Stricter  of  the  two 


computeFrameLab  Si(F(cri,  1J2),  F(aa,  &b))  =  F{a\  U<ra,cr2  U  <Jb) 
computeFrameLab  S2(F{<j1,<j2),F  (cr a,crb))  =  F(aa,Vb) 
computeFrameLab S3(F(ai,  1J2),  F(aa,  &b))  =  F(ai,a2) 
computeFrameLab Si(F(ai,  a2),  F(aa,  ab))  =  F(a\  F(ja:a2  Fab) 


Allowed  by  either 
Allowed  by  embedded  page’s  label 
Allowed  by  parent’s  policy 
Stricter  of  the  two 


computeFrameLab j  (/1, 12)  =  I\  U  I2 
computeFrameLab /,  (/1, 12)  =  h 
computeFrameLab  j  (Ii,  I2)  =  h 
computeFrameLab ^(Ii,  I2)  =  I\  D  I2 


The  definition  of  computeFrameLab Dn  is  the  same  as  computeResLab o3(oj ,  D). 


1.4  Policies 

Browsers  currently  implement  many  security  policies.  Some  of  these  policies  are  clearly  about  information  flow  and 
map  cleanly  to  our  framework;  for  others  the  mapping  is  less  clear.  We  next  revisit  several  such  policies,  examining 
to  what  extent  they  map  into  a  framework  like  ours,  as  well  whether  the  framework’s  expressiveness  allows  richer  or 
more  powerful  variants  of  the  policies  to  be  stated  and  enforced. 


Same-origin  policy  Browsers  use  the  same-origin  policy  (SOP)  to  manage  access  to  different  origins.  Origins  are 
usually  defined  as  the  tuple  (scheme, host.port).  Scripts  from  one  origin  cannot  read  content  from  another  origin  (e.g., 
via  XMLHttpRequest),  nor  can  they  locally  read  data  from  tabs  from  other  origins.  The  precise  implementation  of  the 
SOP  is  slightly  more  nuanced:  outgoing  requests  to  other  origins  are  allowed,  but  data  that  they  return  to  the  browser 
is  not  forwarded  to  the  entity  that  initiated  the  request. 

This  policy  can  be  easily  implemented  in  our  framework.  When  an  entity  makes  a  network  request,  the  label  for  the 
network  controller  is  instantiated  using  the  outgoing  (scheme,host,port)  tuple.2  For  an  attempted  access  to  cnn .  com, 
this  results  in  the  label  £network  =  (C({cnn.*}),  {network},  {}).  For  an  entity  with  label  £e  to  be  allowed  to  send  data 
on  the  network,  label  checks  would  have  to  permit  a  flow  from  £e  to  £network',  this  will  be  allowed  only  if  le  includes  a 
reclassification  or  declassification  capabilities.  To  return  data  from  the  network,  label  checks  would  have  to  allow  the 
flow  from  £network  to  te.  This  will  succeed  only  if  the  secrecy  label  of  £e  contains  cnn.*. 

In  the  absence  of  additional  restrictions,  the  calling  page  or  script  could  have  a  sufficiently  flexible  label  £e  to 
enable  either  the  outgoing  or  the  incoming  path.  Hence,  to  enforce  the  SOP  on  an  entity,  the  browser  needs  only  to 
prohibit  that  entity  from  having  a  label  that  allows  it  to  gather  secrecy  tags  other  than  those  conveying  its  origin.  If 
we  wished  to  also  disallow  outgoing  cross-origin  requests,  the  browser  would  need  to  prevent  the  entity’s  label  from 
being  able  to  declassify  the  tags  that  describe  its  origin. 

In  practice,  a  strict  SOP  prevents  many  commonly  used  web  idioms,  which  our  prototype  does  not  attempt  to 
enforce. 


Domain  relaxation  A  page  can  set  its  document .  domain  value  to  a  suffix  of  its  current  domain,  allowing  pages 
with  different  prefixes  of  the  same  hostname  to  communicate.  E.g.,  a  page  from  login .  a .  com  and  a  page  profile . 
a .  com  can  both  set  their  domain  to  a .  com,  at  which  point  their  origins  will  be  considered  the  same,  and  the  pages  will 
be  allowed  to  access  each  other’s  DOM. 

Domain  relaxation  can  be  implemented  in  our  framework  in  several  ways.  One  is  for  profile .  a .  com  to  have  the 
secrecy  tag  F({profile.a.com},  {profile. a. com,  login. a. com}),  which  allows  it  to  receive  secrets  from  login .  a .  com; 
and  for  login .  a .  com  to  have  a  corresponding  secrecy  label. 

-All  our  hostname-based  tags  include  the  scheme  and  port,  though  we  generally  elide  this  for  clarity. 
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Another  option  is  to  give  each  page  the  name. a. com— > a. com  reclassification  capability.  This  would  allow  such 
pages  to  talk  to  a .  com,  but  not  yet  to  each  other  (because  we  currently  apply  reclassification  only  if  necessary  to 
complete  a  request,  and  only  on  the  source  entity).  To  accomplish  that,  their  respective  secrecy  tags  name. a. com  would 
additionally  need  to  be  replaced  with  a. com,  which  could  be  accomplished  by  the  browser  crawling  over  the  page’s 
DOM  and  changing  the  secrecy  tags  of  any  nodes  with  the  appropriate  labels  from  name. a. com  to  a. com. 

CSP  A  CSP  allows  a  page  to  specify  from  where  page  resources  (e.g.,  3rd-party  scripts)  can  be  loaded.  The  policy 
applies  to  images,  scripts,  etc.  CSPs  can  be  broadly  interpreted  as  policies  that  a  host  page  sets  to  constraint  the 
information  flow  between  the  host  page  and  remote  servers  from  which  external  resources  originate.  When  the  request 
(e.g.,  HTTP  GET)  is  sent  to  a  remote  server,  information  flows  from  the  browser  to  the  remote  server.  The  host  page 
can  send  arbitrary  information  to  the  remote  server  in  this  way  by,  e.g.,  embedding  it  in  the  URL  string  of  the  HTTP 
GET  request.  Once  loaded,  external  resources  such  as  scripts  can  interact  with  the  rest  of  the  page  as  well  as  with 
remote  servers.  Our  generalized  CSP  (GCSP)  (Section  1.3)  can  be  used  to  specify  the  above-mentioned  information- 
flow  constraints  present  in  CSPs. 

There  are  two  main  differences  between  our  GCSP  and  the  existing  CSP.  First,  the  existing  CSP  takes  effect  only 
at  resource-loading  time  and  does  not  constrain  transitive  information  flows.  E.g.,  if  url’s  CSP  forbids  scripts  from 
ad.com,  it  doesn’t  mean  that  an  extension’s  content  script  running  in  the  same  page  is  prevented  from  sending  to  or 
receiving  information  from  ad.com.  GCSP  enforces  a  stricter  policy:  Any  information  tagged  with  a  url  secrecy  tag 
cannot  be  sent  to  components  that  do  not  have  that  tag.  Second,  CSPs  also  enforce  policies  other  than  information 
flow.  For  instance,  not  loading  resources  from  an  external  resource  also  prevents  the  external  resource  from  using  local 
resources  such  as  the  screen  or  CPU.  This  will  effectively  protect  the  user  from  seeing  offensive  ads,  prevent  scripts 
from  draining  the  laptop  battery,  etc. 

In  modern  browsers,  web  pages  are  allowed  to  embed  third-party  content  with  little  restriction.  Our  modified 
browser  has  stricter  constraints.  To  allow  web  pages  to  load  third-party  content,  we  explicitly  enable  two-way  com¬ 
munication  between  the  page  and  the  external  resources. 

postMessage  postMessage  is  a  JavaScript  API  which  allows  web  pages  to  communicate  across  domains  on  the  client 
side.  postMessage  works  in  two  conditions:  A  parent  page  embeds  another  page  in  an  iframe  or  a  parent  page  opens 
another  page  in  a  new  tab.  In  both  cases,  the  API  allows  two-way  communication.  The  postMessage  send  needs  to 
specify  the  destination,  and  the  receiver  can  check  the  source. 

To  allow  communications  using  postMessage  APIs  in  our  system,  the  sender  and  receiver’s  labels  need  to  be 
adjusted.  If  a  host  page  were  to  send  data  directly  to  an  iframe  from  a  different  origin,  the  request  would  be  denied 
by  our  browser.  To  allow  postMessages  to  work,  labels  are  assigned  to  the  host  and  iframed  page  in  similar  ways  as 
discussed  for  SOP  and  CSP. 

iframe  policies  iframes  were  introduced  as  an  isolation  mechanism  for  a  parent  page  to  confine  untrusted  pages. 
However,  iframes  have  been  abused  to  embed  trusted  pages  within  malicious  pages,  which  then  mount  phishing  and 
clickjacking  attacks. 

To  prevent  such  attacks,  a  server  can  specify,  using  the  x-Frame-Options  header,  that  the  page  should  not  be 
rendered  inside  a  iframe  at  all,  or  should  only  be  rendered  inside  an  iframe  of  a  page  from  a  specified  origin. 

In  a  pure  information-flow  approach,  disallowing  a  page  from  loading  in  an  iframe  cannot  easily  be  done.  We 
can,  however,  prevent  the  parent  from  gaining  information  from  a  loaded  iframe.  For  example,  if  a .  com  tries  to  place 
victim,  com  in  an  iframe  on  its  page  and  receive  information  from  the  iframe,  it  would  have  to  have  a  secrecy  label 
that  can  float  to  include  victim,  corn’s  secrets.  To  prevent  a .  com  from  having  a  label  that  allows  this,  the  browser 
would  have  to  generate  a .  corn’s  label  from  something  other  than  a .  corn’s  (self-supplied)  CSP.  While  such  restrictions 
could  be  expressed  cleanly  in  our  framework  using  composition  operators  (Section  1.3),  we  have  not  yet  explored  this 
approach. 
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Extension  host  permissions  Extensions  specify  host  permissions  in  its  configuration  files  to  ask  for  permissions 
to  access  different  pages.  The  browser  matches  the  URL  in  the  host  permissions  and  the  URL  of  the  page  to  decide 
whether  to  inject  the  script.  Our  label  system  can  enforce  the  host  permission  checking.  The  label  for  the  content  script 
is  formed  as  F  ({extension} ,  { extension ,  hostjpermission}).  When  the  script  is  going  to  be  injected,  the  label 
check  happens  and  verifies  whether  the  extension  is  allowed  to  access  the  page.  We  can  even  do  better  for  blocking 
information  leakage  if  we  use  the  stricter  label  composition,  in  which  case  if  the  page  is  tainted  with  information  from 
other  domains,  the  content  script  cannot  collect  information  from  other  domains. 

Extension  API  permissions  Extensions  can  access  some  browser  APIs  if  they  declare  these  APIs  in  the  configura¬ 
tion  file. 

We  use  integrity  labels  for  controlling  access  to  APIs,  which  also  guards  against  privilege  escalation.  If  an  exten¬ 
sion  has  access  to  one  API,  the  API  will  be  included  in  its  integrity  label,  and  when  information  is  about  to  flow  from 
the  extension  to  another  party,  our  system  will  compare  the  labels  to  make  sure  that  the  information  does  not  flow  to  a 
party  which  does  not  have  access  to  that  API. 


2  System  States 

Scripts  Executable  code  present  in  browser  extensions  as  well  as  webpages  is  abstractly  represented  as  commands, 
denoted  cmd.  We  model  basic  script  functionality  including  updating  variables,  making  function  and  API  calls,  and 
branching  on  conditions. 


Command 

cmd 

:;=  skip 
let  x 

ret  exp  \  x  :=  exp  \  APIa(exp)  |  let  x  =  f(exp)  in  cmd 
=  API s(exp)  in  cmd  \  cmdp,  cmd?  |  if  exp  then  cmd\  else  cmd-2 

Expression 

exp 

::=  x  |  c 

|  exp1  bop  exp2  |  uop  exp  \  (exp1,  ■  ■  • ,  expn ) 

Function  decl 

fdecl 

::=  f(x) 

=  cmd  |  x.cmd 

Variable  Env 

r 

"=  ‘  1  T, 

X  K >  V 

API  calls  include  label  checking.  Asynchronous  API  calls  are  treated  as  a  command  API a(exp).  Synchronous 
API  calls,  denoted  let  x  =  API  s(exp)  in  cmd,  block  for  return  values. 


Events  and  event  handlers  The  syntax  of  events  and  event  handlers  is  summarized  below.  We  write  e  to  denote  an 
event,  £  to  denote  an  event  queue,  EventHandler  to  denote  an  event  handler,  and  Event-Handlers  to  denote  a  set  of 
event  handlers. 


Event 

Event  Queue 
Return  channel 
Event  handlers 
Event  handler 
Blocking  flag 


e 

£ 

return 

EventHandlers 

EventHandler 

BlockingFlag 


( ide ,  eventType,  return,  info,  k) 

•  |  £  ::  e 

none  |  som e(ayncRet,  id)  |  some(e,  id) 

■  |  EventHandlers,  EventHandler 

(id,  eventType,  x.cmd,  £,  BlockingFlag,  cmd,  ide,  return) 

blocking  |  nonblocking 


An  event  is  a  tuple  consisting  of  a  unique  event  ID  (ide),  an  event  type  ( eventType ),  whether  actions  are  needed 
after  the  event  is  processed  (return),  additional  arguments  of  the  event  (info),  and  the  information  flow  label  for  the 
event  («).  eventType  should  contain  sufficient  information  for  dispatching  an  event.  For  instance,  the  eventType  for 
a  button  onClick  event  is  button  Lone  lick  and  the  eventType  for  a  tab  onCreated  event  is  tabs.onCreated.  return  is 
either  none  indicating  when  the  event  handler  for  that  event  finishes,  no  action  needs  to  be  taken;  or  sovne(ayncRet ,  id) 
indicating  indicating  this  event  is  generated  in  relation  to  an  asynchronous  call,  and  when  its  event  handler  finishes 
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processing,  the  event  handler  need  to  invoke  a  callback  function  specified  by  id.  some(e,  id)  is  only  used  by  event 
handlers  and  is  explained  later. 

There  are  two  kinds  of  events  in  terms  of  processing  modes,  namely,  blocking  events  and  non-blocking  events. 
For  blocking  events,  event  handlers  can  register  to  run  in  blocking  mode.  The  browser  finishes  processing  a  blocking 
event  only  when  all  its  handlers  in  blocking  mode  have  been  executed.  For  non-blocking  events,  handlers  cannot  run  in 
blocking  mode.  After  dispatching  a  non-blocking  event,  the  browser  can  move  to  the  next  step  without  executing  all  the 
event  handlers.  Note  that  we  don’t  introduce  an  index  to  indicate  whether  an  event  is  blocking  or  non-blocking.  Only 
the  events  with  certain  event  types  are  blocking  events,  e.g.,  webRequest.onBeforeRequest  events.  Given  an  event, 
from  its  type,  we  can  tell  whether  it  is  a  blocking  event.  The  return  channel  for  an  event  handler  can  be  some(e,  id) 
when  the  event  handler  is  a  blocking  event  handler,  processing  event  e  with  a  unique  ID  id. 

An  event  handler  has  its  own  unique  ID,  the  type  of  event  that  it  processes,  and  the  code  for  processing  events 
( x.cmd ).  An  event  handler  can  only  process  one  event  at  a  time;  events  waiting  to  be  processed  are  stored  in  an  event 
queue  8.  The  BlockingFlag  indicates  whether  a  handler  is  a  blocking  event  handler.  The  last  three  fields  in  the  event 
handler  are  the  script  processing  the  current  event,  the  ID  of  the  event  being  processed,  and  the  return  information  of 
the  event  being  processed.  For  page  script  handlers,  id  is  the  node  ID  of  the  corresponding  script  node. 


Extensions  An  extension  is  a  tuple  consisting  of:  a  unique  ID,  one  extension  core,  several  content  scripts,  local 
storage,  an  active  flag,  and  a  policy  label.  A  static  extension  core  is  a  tuple  consisting  of  a  variable  environment  F, 
commands  cmd  corresponding  to  the  main  function  of  the  core,  and  a  list  of  event  handlers.  A  content  script  contains 
three  identifiers  (the  ID  of  the  extension  it  belongs  to,  its  own  unique  ID,  and  the  ID  of  the  tab  in  which  it  runs); 
programs  modeled  as  T,  cmd,  EventHandlers ;  an  index  runat  for  indicating  when  to  inject  the  script  to  a  tab;  and  a 
policy  label.  The  active  flag  aFlag  indicates  whether  an  extension  is  active. 


Installed  extension 

Ext 

Content  scripts 

ExtCSs 

Content  script 

ExtCS 

Injection  time  tag 

runat 

Extension  core 

ExtCore 

Ext  active  setting 

activeFlag 

Storage 

Storage 

Objects 

objects 

Object 

object 

Installed  extensions 

Exts 

( idext ,  ExtCore,  ExtCSs,  Storage,  activeFlag ,  £) 

•  |  ExtCSs,  ExtCS 

( idext ,  idcs,  idt,T,  cmd,  EventHandlers,  runat,  t) 

DocBegin  |  DocEnd  |  Doddle 

(r,  cmd,  EventHandlers) 
active  |  inactive 
objects,  £ 

■  |  objects,  object 
(id,  content) 

■  |  Ext  ::  Exts 


Simplified  DOM  We  model  the  main  page  and  the  iframed  subpages  contained  in  a  browser  tab  as  a  list  of  documents 
Docs.  A  document  Doc  is  defined  as  (idd,  url,  nodes,  DocCSs,  %,  £)■  idd  is  the  document  ID.  url  is  the  page  URL. 
nodes  denotes  the  page  elements.  DocCSs  are  the  content  scripts  injected  by  extensions,  x  denotes  the  content 
security  policies  of  the  page.  Each  document  is  associated  with  a  policy  label. 

A  page  consists  of  many  elements,  e.g.,  images,  scripts,  forms,  etc.  In  the  Document  Object  Model  (DOM),  the 
elements  in  a  page  are  organized  in  a  tree  structure.  Our  model  inherits  the  tree  structure  from  the  DOM.  The  elements 
in  a  page  are  modeled  as  tree  nodes  in  a  document.  A  node  is  defined  as  (id,  attributes,  nodes,  content,  £).  id  denotes 
the  node  ID.  attributes  contains  general  information  about  the  node,  e.g.,  the  content  type,  the  URL  (if  the  node  loads 
external  object),  and  the  parent  node  ID,  etc.  If  the  node  is  a  script  node,  attributes  also  contains  the  script’s  event 
handlers’  IDs.  nodes  are  the  child  nodes,  content  is  a  piece  of  data  with  a  specific  format,  e.g.,  an  image  file.  £  is  the 
policy  label  attached  on  the  node. 
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Documents  Docs  ::=  -\  Docs,  Doc 

Document  Doc  ::=  (id d,url,  nodes,  DocCSs, x,£) 

Node  node  ::=  (id ,  attributes ,  nodes ,  content ,  £) 

Nodes  nodes  ::=  •  j  nodes,  node 

Attributes  attributes  ::=  (type,  url,  ■  •  •) 

Content  Type  type  stylesheet  |  script  |  image  |  ••• 

Bookmarks  Like  the  DOM,  bookmarks  have  a  tree  structure.  Operations  on  bookmarks  include  insertion,  deletion, 
and  mutation  of  nodes  and  subtrees.  As  with  the  DOM,  we  could  allow  each  node  to  be  tainted  with  the  label  of  the 
entity  that  updates  the  data  structure.  The  drawback  is  that  to  prevent  information  leakage,  many  simple  operations 
would  be  prohibited.  For  instance,  if  a  script  with  many  secrets  wrote  to  the  root  of  the  bookmark  tree,  then  no  entities 
that  are  allowed  fewer  secrets  could  read  any  bookmark.  Since  bookmarks  have  a  long  life  cycle,  this  is  too  prohibitive. 
Instead,  we  borrow  ideas  from  multi-level  secure  execution.  We  implement  a  multi-level  bookmark  MBookmarks  data 
structure,  consisting  of  a  set  of  pairs  of  a  bookmark  bookmark  and  a  simple  label  k.  The  label  indicates  the  secrecy 
and  integrity  level  of  the  bookmark.  A  bookmark  is  a  tree:  each  leaf  node  is  a  bookmark  entry  and  each  non-leaf  node 
represents  a  directory. 

Multi-level  bookmarks  MBookmarks  •  |  MBookmarks,  MB ookmark 

Bookmarks  MBookmark  ::=  bookmarks,  k 

Bookmarks  bookmarks  ::=  •  |  bookmarks ,  bookmark 

Bookmark  bookmark  ::=  (id,  title,  bookmarks  \  id,  title,  url) 

Cookies  Cookies  are  similar  to  bookmarks  in  that  they  are  long  lived;  tainting  them  would  interfere  with  normal 
functionality.  Hence,  we  label  each  with  a  simple  label  n.  For  cookies,  the  label  corresponds  to  the  cookie’s  domain, 
so  web  sites  can  set  and  retrieve  their  cookies,  which  is  the  main  functionality  needed  of  cookies.  To  operate  on 
cookies,  an  entity  needs  to  be  able  to  reclassify  to  the  secrecy  label  of  a  cookie’s  domain,  which  is  consistent  with 
having  the  ability  to  access  content  from  that  domain. 

Cookies  Cookies  ::=  ■  \  Cookies,  Cookie 

Cookie  Cookie  ::=  (name,  value,  url,  k) 

Histories  History  entries  have  simple  labels  as  well.  Each  history  item  history  has  the  secrecy  and  integrity  label 
of  the  entity  that  caused  the  history  entry  to  be  created.  When  querying  history,  an  entity  with  label  £  is  given  results 
composed  of  entries  whose  label  is  lower  than  or  equal  to  l.  When  deleting  history  entries,  only  entries  with  label 
equal  to  or  higher  than  £  are  removed. 

Histories  histories  ::=  •  |  histories ,  history 

History  history  (id,  url,  name,  visitTime,  visitType,  k) 

Runtime  extension  instances  When  an  extension  core  injects  a  content  script  using  API  chrome. tabs.executeScript, 
the  injected  script  may  not  run  right  away.  Instead,  it  is  stored  in  proglnjCSs.  DocCSs  is  the  list  of  active  content 
scripts.  idr  is  the  unique  identifier  for  that  runtime  instance.  The  runtime  instance  of  an  extension  core  is  denoted 

ExtCoreR. 

Injected  content  scripts  proglnjCSs  ::=  ■  \  proglnjCSs,  ExtCS 

Doc  content  scripts  DocCSs  ::=  ■  \  DocCSs,  DocCS 

Doc  content  script  DocCS  ::=  (idext,  idcs,  idr,T,  cmd,  EventHandlers,£) 

Runtime  Core  ExtCoreR  ::=  idext,  ExtCore,£ 

Extension  cores  ExtCoreRs  ::=  •  |  ExtCoreRs,  ExtCoreR 
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Browser  state  The  top-level  system  state  S  contains  tabs  in  the  browser  ( Tabs),  run-time  extension  cores  ( ExtCoreRs ), 
static  copies  of  programmatically  injected  content  scripts  ( proglnjCSs )  installed  extensions  ( Exts ),  cookies  {Cookies), 
bookmarks  ( MBookmarks ),  histories  ( histories ),  and  user  actions  (UI). 


System  state  S 

Browser  state  'T 

Async  Call  Browser  States  ayncCall 
Async  Call  Ret  States  ayncRet 

Browser  sub-state  if 

Tabs  Tabs 

Tab  Tab 

UI  UI 


(’k.  Tabs,  ExtCoreRs ,  proglnjCSs ,  Exts, 

Cookies,  MBookmarks,  histories,  UI) 

■  I 

chrome. management. setEnabled  |  •  •  • 
chrome. runtime. sendMessage.ResponseGenerated  |  ••• 
ws.beforeRequest(K,  idt,  idd,  idn,  ide,  url,  info)  ■  ■  ■ 
ayncRet  \  ayncCall 

DoneBlkEvtState(-  •  •)  |  ProcBlkEvtState(-  •  •) 

•  |  Tabs,  Tab 

(idt,  Docs,  url,  EventHandlers ,  £) 

(user,  cmd,£) 


User  is  denoted  by  a  tuple  consisting  of  a  unique  ID  user,  commands  that  user  intend  to  executes,  and  the  label  of  the 
user.  For  instance,  the  API  call  chrome. tabs. create(-  •  •)  corresponds  to  a  user  pressing  “Ctrl  +  T”. 

A  browser  tab  (tab)  is  the  tuple  (idt,  Docs,  url,  EventHandlers ,  £).  Each  tab  has  a  unique  ID,  idt ■  Docs  denotes 
the  documents  in  the  tab,  including  the  top-level  document  and  sub-documents  (if  any).  EventHandlers  comes  from 
the  page  scripts.  When  a  script  node  is  loaded,  we  extract  the  event  handlers  and  add  them  to  ScriptHandlers.  Later, 
even  the  script  node  is  removed  from  the  doc,  the  handlers  are  still  kept  in  ScriptHandlers.  £  are  the  DOM  events 
generated  in  the  tab.  t  is  the  tab’s  label. 

The  initial  system  state  is  denoted  Einit.  When  a  system  starts  from  a  clean  state  (not  recovered  from  a  pre-stored 
state),  it  does  not  contain  any  tab,  runtime  extension  cores,  or  programmatically  injected  content  scripts.  So  Elnit  is 
•,  •,  Exts ,  MCookies,  MBookmarks,  UI”. 

'k  denotes  the  browser’s  state.  This  can  be  composed  of  several  types  of  sub-state. 

The  first  type  is  the  web  request  internal  state.  For  instance,  if  the  browser  is  going  to  load  an  external  image  to 
a  page,  the  system  will  generate  a  ws.beforeRequest  state.  A  ws.  before  Request  takes  seven  arguments:  n,  idt,  idd, 
idn,  ide,  url,  and  info,  k  is  the  web  request  issuer’s  label.  In  the  above  example,  the  issuer  is  the  DOM  node  which  is 
going  to  load  the  image,  idt,  idd,  and  idn  are  the  hosting  tab,  doc  and  node  ID  respectively,  url  is  the  image’s  URL. 
info  is  a  reserved  place  for  storing  additional  information.  For  example,  if  the  web  request  is  for  loading  a  subpage 
into  an  iframe,  we  could  store  the  frame  policy  for  the  subpage  in  info. 

The  second  type  is  the  asynchronous  API  call  state.  When  an  entity  makes  an  asynchronous  API  call,  a  corre¬ 
sponding  asynchronous  call  state  ayncCall  will  be  generated.  After  the  browser  processes  the  API  call,  if  there  is  a 
return,  an  asynchronous  call  return  state  ayncRet  will  be  generated.  ayncRet  contains  the  API’s  return  value. 

The  third  type  is  the  blocking  event  state.  Given  a  blocking  event,  if  there  are  multiple  matching  blocking 
event  handlers,  the  browser  can  only  proceed  to  the  next  step  if  all  the  handlers  have  finished  processing  the  event. 
Our  model  keeps  track  of  event  processing.  When  a  blocking  event  is  dequeued  from  a  blocking  event  handler,  a 
ProcBlkEvtState(-  •  •)  is  generated.  When  the  blocking  handler  finishes  processing  the  event,  a  DoneBlkEvtState(-  •  •) 
state  is  generated.  With  these  states,  we  know  whether  a  blocking  event  has  been  processed  by  all  the  matching  block¬ 
ing  handlers. 


Evaluation  contexts  We  first  define  script  variable  context  environments  as  follows. 


Docs  script  env 
Doc  script  env 
Node  script  env 
Nodes  script  env 


Docsenv(id) 

Docenv(id) 

nodeenv(id) 

nodesenv(id) 


■  |  Docs  ::  Docenv(id) 

idd,  url,  nodes env (id),  ExtCSs,  £ 
id,  attributes,  nodes,  content,  [  |,  £ 

■  |  nodes  ::  nodeenv(id) 
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These  contexts  include  a  hole  |  [  in  the  place  of  the  variable  environments  (T).  The  purpose  of  the  variable  context  is 
to  identify  such  Ts  so  values  of  variables  can  be  looked  up  and  the  environment  itself  can  be  updated. 

We  define  the  execution  contexts,  which  contain  a  hole  |  [indicating  the  position  of  the  current  evaluation. 

State  context  Ectx(id) 


Tabs  context 

Tabsctx{id) 

Tab  context 

Tabctxi.id) 

Doc  content  scripts  context 

DocCSsctx{id) 

Doc  content  script  context 

DocCSctx(idcs) 

Docs  context 

Docsctx{id) 

Doc  context 

Docctx(id) 

Event  handlers  context 

EventHandlers  ctx(id) 

Event  handler  context 

EventHandler  ctx{id) 

Extension  cores  context 

ExtCoreRsCfX{id) 

Extension  core  context 

Ext  CoreRCfx  (idext) 

Command  context 

cmdctx 

UI  context 

UIctx{  user) 

*3/,  Tabsctx{id),  ExtCoreRs,  proglnjCSs,  Exts,  Cookies , 
MBookmarks ,  histories,  UI ,  sMode 
d/,  Tabs,  ExtCoreRsctx(id),  proglnjCSs,  Exts,  Cookies, 
MBookmarks,  histories,  UI,  sMode 

■  |  Tabs  ::  Tabctx{id) 

idt,  Docsctx(id),  url,  EventHandlers ,  I 

idt,  Docsenv(id),  url,  EventHandlers ctx(id) ,  t 

•  |  DocCSs  ::  DocCSctx(id) 

id ext,  idcs,  idt,  I  [,  cmdctx,  EventHandlers ,  l 

id ext,  idcs ,  idt,  I  [>  cmd,  EventHandlers CfX{id) ,  £ 

■  |  Docs  ::  Docctx{id) 

idd,  url,  nodes,  DocCSsctx(id),£ 

■  |  EventHandlers  ::  EventHandlerctx(id ) 

id,  eventType,  x.cmd,  £,  cmdctx,  ide ,  BlockingFlag,  return 

■  |  ExtCoreRs  ::  ExtCoreRCfX{id) 

id  ext  5  (I  [j  cmdCfx,  EventHandlers) ,  I 

id  ext )  (I  [j  cmd,  EventHandlers  ctx)  i  £ 

;  |]  |  let  x  =  [  [  in  cmd  \  cmdctx',  cmd 
user,  x.cmd,  cmdctx,  £ 


We  write  Ectx\  x  | (*d)  to  denote  the  state  resulting  from  plugging  construct  x  into  context  Ectx(id).  In  terms  of 
script  context,  we  plug  in  two  constructs,  Ectx [  T,  x  [(id)-  where  T  is  the  context  that  maps  global  variables  to  their 
values.  We  define  a  function  ctxOfldfX’,  id)  to  return  the  label  of  the  closest  enclosing  context  of  the  element  with 
identifier  id  in  the  system  state  E. 


3  Transition  Rules 

The  top-level  transition  rules  are  of  the  form  S;  E;  £  — E/;  E' \  £' .  Here,  E  denotes  remote  servers,  which  are  active 
entities  that  exchange  information  with  the  browser.  E  is  the  browser  state.  £  denotes  events  waiting  to  be  processed. 
Events  can  be  user  inputs,  API  requests,  and  other  internal  browser  events.  Each  transition  is  labeled  with  an  action  /?, 
representing  the  observable  effects  of  that  transition.  In  this  technical  report,  for  rules  where  S  stay  the  same,  we  omit 
them  from  the  rules. 


3.1  Auxiliary  Definitions 

Web  servers  The  purpose  of  modeling  the  web  servers  is  to  model  web  attackers.  Each  web  server  is  a  pair  of  its 
URL  and  program.  A  web  server  either  listens  to  a  request  (listen),  or  sends  a  header  to  the  browser  (sendHeader(ft  )), 
or  sends  content  to  the  browser  (sendContent(Ii)). 

Web  servers  5  ::=  •  |  5,  (url,  exp) 

Server  Program  exp  ::=  listen;  a:,  exp  |  send Header(/i);  exp  |  sendContent(h);  exp  |  skip 
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Actions  Observable  actions,  denoted  a,  include  API  calls,  invocations  of  callbacks,  and  processed  events.  These 
actions  pass  on  information  to  event  handlers.  The  browser  makes  internal  transitions,  which  do  not  produce  observ¬ 
able  effects.  We  use  r  to  label  such  transitions,  and  call  them  silent  transitions.  We  define  an  execution  trace  p  as  the 
sequence  of  non-silent  actions  in  a  transition  sequence. 

Actions  a  ::=  e  |  API{ns,  args)  |  Ret(«;s,  args) 

Generalized  Action  /?  ::=  a\  r 

Traces  p  e  \  p,  a 

Definition  of  enqueuing  an  event  We  define  e  Tab  to  mean  that  event  e  is  related  to  the  tab  Tab.  We  assume 
that  each  event  carries  the  identifier  of  the  tab  that  it  is  generated  from.  For  events  that  are  returns  to  asynchronous 
API  calls,  it  is  related  to  a  tab  if  that  tab  contains  an  event  handler  which  is  the  callback  function  of  that  event.  This 
can  be  checked  by  examining  the  event  type.  An  event  will  be  added  to  each  matching  event  handler’s  event  queue. 
Labels  are  checked  when  an  event  handler  is  about  to  process  the  event.  Events  are  not  propagated  across  frames. 

EventHandler  <1  q  e  = 

EventHandler  eventTypeOf  (EventHandler)  ^  eventTypeOf  (e) 

EventHandler[eventQueue  -t=  eventQueue  ::  e]  eventTypeOf  {EventHandler)  =  eventTypeOf  (e) 

We  define  EventHandlers  <q  e  to  be  the  lifting  of  EventHandler  <q  e  to  the  list  of  event  handlers. 

=  ExtCoreR[EventHandlers  <=  EventHandlers  <q  e] 

=  DocCS\EventHandlers  4=  EventHandlers  <q  e] 

=  Doc[DocCSs  4=  DocCSs  <\q  e] 

J  Tab[EventHandlers  4=  EventHandlers  <]q  e]  e  Tab 
|  Tab  otherwise 

f  Tab[Docs  4=  Docs  e]  e  ~t  Tab 
|  Tab  otherwise 

=  Tab  e  <lps  e 

Relations  between  internal  browser  state  and  events  For  web  requests,  the  browser  processes  a  sequence  of 
events  in  a  particular  order.  We  use  internal  browser  state  to  track  such  ordering;  an  event  in  this  sequence  can  only  be 
processed  when  the  browser  is  in  a  corresponding  state. 

We  define  two  relations  to  specify  the  correspondence  between  an  internal  browser  state  and  an  event:  if  e  and 
if  e.  Because  events  can  be  blocking  or  nonblocking,  relates  a  state  and  a  blocking  event  and  relates  a 
state  and  a  non-blocking  event.  We  list  the  elements  in  both  relations  below. 

ws.beforeRequest(«;,  idcb,  ( idt ,  idd ,  idn),  ide,  url,  info)  {ide,  webRequest.onBeforeRequest,  •  •  •  ,n) 
ws.beforeSendHeader(«;,  idcb,  ( idt ,  idd,  idn),  ide >  url,  info)  {ide,  webRequest.onBeforeSendHeaders,  •••,«;) 
ws.headerReceived(ft,  idcb ,  {idt,  idd,  idn),  ide,  url,  info)  {ide,  webRequest.onHeadersReceived,  •••,«) 

ws.beforeRequest.redirect(«,  idcb,  {idt,  idd,  idn),  ide,  url,  info)  ~„f,  {ide,  webRequest.onBeforeRedirect,  •••,«) 
ws.headerSent(ft,  idcb,  {idt,  idd,  idn),  ide,  url,  info)  ~„e,  ( ide ,  webRequest.onSendHeaders,  •••,«;) 
ws.responseStarted(K,  idcb,  {idt,  idd,  idn),  ide,  url,  info)  {ide,  webRequest.onResponceStarted,  •••,«;) 
ws.completed(K,  idcb,  {idt,  idd,  idn),  ide,  url,  info,  ( content ,  Ki))  ~„{ ,  {ide,  webRequest.onCompleted,  •••,«;) 
ws.failed(/t,  idcb,  {idt,  idd,  idn),  ide,  url,  info,  £)  {ide,  webRequest.onErrorOccurred,  •  •  •  ,n) 
readytoCreateDoc(z<it,  idd,  ide,  content,  £doc)  ~nb  {ide,  webNavigation.onCommitted,  •••,«;) 


ExtCoreR  <1  q  e 
DocCS  <q  e 

Doc  <cs  e 
Tab  <1 ps  e 

Tab  <cs  e 
Tab  e 
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Each  web  request  state  contains  several  IDs.  If  a  web  request  state  is  for  loading  external  object  to  a  node  or  doc, 
idc b  is  set  as  •  and  ( idt ,  idd,  idn)  stores  tab  ID,  Doc  ID  and  node  ID.  If  a  web  request  state  is  from  a  direct  web 
request  API  call,  idcb  is  the  callback  handler’s  event  type,  (idt,  idd,  idn)  is  set  to  null. 

3.2  Browser  Internal  State  Transition  Rules 

A  browser  can  change  its  internal  state.  We  define  two  state  transition  functions  to  specify  to  which  state  the  browser 
should  transition  based  on  the  current  internal  state.  The  first  function  nextStatefL,  ary)  takes  the  current  state  and 
an  auxiliary  argument  which  could  be  void  or  noChange  or  Blocked(c)  as  inputs,  and  returns  a  new  state  and  a  list 
of  events.  Generally,  the  second  argument  is  set  as  void.  However,  when  processing  a  blocking  event,  the  browser’s 
next  state  depends  on  the  event  handlers’  return  value  as  well.  If  there  is  no  blocking  event  handler  for  the  event,  the 
second  argument  is  set  as  noChange;  else,  it  is  set  as  Blocked(c)  where  c  is  the  return  value.  This  function  is  used  in 
the  sequence  of  transitions  that  a  browser  takes  to  process  web  requests. 

The  second  function  nextStateCf  X’,  ip)  takes  the  entire  browser  state  and  the  current  browser  state  as  arguments, 
and  returns  an  updated  browser  state  and  a  list  of  events.  This  function  is  used  when  the  internal  transition  also  alters 
other  pieces  of  the  browser  state  such  as  the  DOM. 


E  =  (’ll,  -  •  •)  ::  ip 

(ip',£i)  =  nextState(i/>,  void/noChange/Blocked(c))  E'  =  E’fT'  4=  T'  ::  ip'] 

- InternalStateTransitionI 

E-£  ^4  E'-£  ::  £% 

E  =  ('$,■■■)  '&  =  ^>'::ip  (S',  £i)  =  nextStateC(I7,  ip) 

- - - InternalStateTransition2 

E-£  ^  E'-£  ::  £x 

3.3  Script  Transition  Rules 

Beta  rules  for  scripts  Given  f,  id,  and  (,  getFu notion  will  find  the  code  of  the  function  /  in  the  matching  scope, 
and  execute  it.  The  content  script  run  at  the  end  of  Doc  loading  can  refer  to  the  global  variables  and  functions  defined 
in  the  content  scripts  run  at  the  beginning  of  Doc  loading,  but  not  vise  versa. 


T,  e  jj.  v 


T,  x  :=  e  — T[a;  i  ^  u],  skip 


Assign 


T,  e  JJ-  true 


T,  if  e  then  cmd\  else  cmd 2  — >p  T,  cmd  1 


If-T 


T,  e  jj.  false 


If-F 


T,  if  e  then  cmd\  else  cmd 2  T,  cmd2  T,  skip;  cmd  T,  cmd 

x.cmd  =  getFunction(T,  /,  id) 


Skip 


T,  let  x  =  v  in  cmd  — >p  T,  cmd[v/x\ 


Let 


r,  /(e)  —tfj  r,  cmd[e/x\ 


FunctionCall 


Top-level  beta 

T,  cmd  ->g  T',  cmd' 

- - - - Context 

Ectx\T,  cmd  1  id;£  — >  Ectx\T',  cmd'  \id-,£ 
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Returns  The  last  instruction  of  an  event  handler  is  the  return  instruction.  If  the  return  field  of  the  event  handler  is 
none,  indicating  that  no  one  is  waiting  for  the  return  value  of  this  handler,  then  the  script  evaluates  to  skip.  The  three 
rules  Return-N-Core,  Return-N-CS,  and  Return-N-Page  are  for  core  scripts,  content  scripts,  and  page  scripts 
respectively. 


£ctx{id)  =  (d/,  Tabs,  ExtCoreRsCfX{id) ,  •  •  •)  ExtCoreRCfX{id )  G  ExtCoreRsCfX{id) 

ExtCoreRCfX(id )  =  {id,  _  ,  EventHandlers  ::  EventHandler CfX,  t) 

EventHandler  CfX{id)  =  (■■■,  nonblocking,  none) 

- - -  Return-N-Core 

Zctxl  r,  ret  v  \id\£  — >  rcfcE[]r,skip \id;£ 


Zctx{id)  =  ('P,  Tabsctx(id),  ■  •  •) 

tctx(id)  G  Tabsctx{id)  tctx(id)  =  (•••,  Docsctx{id),  ■  ■  ■)  Docctx(id)  G  Docsctx(id ) 
D°cctx{id)  =  (■■•,  DocCSsctx(id),  ■  •  •)  DocCSctx{id)  G  DocCSsctx{id) 

DocCSCfX{id)  =  (_  ,  id,  •  ■  ■ ,  EventHandlers  ::  EventHandler ctx(id) ,  t, ) 

EventHandler CfX{id)  =  (••*,  none) 

Zctx  S  ret  v  | id ,  £  ^  Ectx  |  T,  ski p  | ^ ,  £ 


Return-N-CS 


Zctx{id)  =  (Tr,  Tabs ctx{id) ,  •  •  •)  tctx{id)  G  Tabsctx(id ) 

tctx(id)  =  (idt,  Docs{id),  url,  EventHandlers  ::  EventHandler ctx{id)  ■  ■  •) 

Doc{id )  G  Docs{id)  Doc{id)  =  (•••,  nodes{id),  ■  ■  •)  node(id)  G  nodes{id) 

node(id)  =  {id,  attributes,  nodes\,  content,  [  [,f)  EventHandler CfX{id)  =  (•••,  none) 

- - - r -  Return-N-Page 

Rctx I  T,  ret  v  1  id-,£  — rcte[  T,skip \id;£ 

The  next  three  rules  Return-Core,  Return-CS,  and  Return-Page  are  for  core  scripts,  content  scripts,  and 
page  scripts  to  return  to  callback  functions  respectively.  The  return  of  the  event  handler  is  som e{R,  idr),  indicating 
that  there  is  a  callback  function  waiting  for  the  completion  of  this  event  handler.  Here,  the  event  handler  is  actually  an 
asynchronous  API  call  (or  a  callback),  R  is  the  name  of  the  original  asynchronous  API  call.  When  the  event  handler 
returns,  the  internal  browser  state  is  updated  to  include  a  new  state  ayncAPIRetState{R,  ,  idr,v),  stating  that  the 
asynchronous  API  call  to  R  has  completed  with  return  value  v,  label  f-,  and  the  callback’s  ID  is  idr.  We  will  show 
an  example  at  the  end  of  this  section. 
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Ectx(id)  =  (’4  Tabs,  ExtCoreRsctx(id),-  •  •)  ExtCoreRCfX(id )  £  ExtCoreRsCfX(id ) 

ExtCoreRctx{id )  =  (id,  _  ,  EventHandlers  ::  EventHandler  ctx,£) 

EventHandler  CfX(id )  =  (••■,  nonblocking,  some(i?,  idr)) 

ip  =  ayncAPIRetState(R,£~ ,  idr,v )  E't  (id)  =  X,ct2;(zrf)[\l/  <=  \1/  ::  ip] 

- - - Return-Core 

Rctx\ r,  ret  v  I id',£  — r'fa|r,skip \id-,£ 


ZctX  (id)  =  (^,  Tabsctx(id),  ■  ■  ■) 

tctx(id)  €  Tabsctx(id)  tctx(id)  =  (•••,  Docsctx(id),  ■  ■  ■)  Docctx(id)  £  Docsctx(id) 

D°cctx(id)  =  (•••,  DocCSsctx(id),  ■  •  •)  DocCSctx(id )  €  DocCSsctx(id) 

DocCSCfX(id)  =  (_  ,  id,  ■  ■  ■ ,  EventHandlers  ::  EventHandler  CfX(id),£, ) 

EventHandler  CfX(id)  =  (•••,  some(f?,  idr)) 

if)  =  ayncAPIRetState(R,£~ ,idr,v)  E't  (id)  =  Ectx(id)\A>  ^  ip] 

- - - Return-CS 

Ectx |  r,  ret  V 1  id;£  — E'ctx\ r, skip \id;£ 


Ectx(id)  =  (4  TabsC{X(id),  ■  ■  ■)  tctx(id)  £  Tabsctx(id) 

tctx(id)  =  (idt,  Docs(id),  url,  EventHandlers  ::  EventHandler ctx(id) ,  ■  •  •) 

Doc(id)  £  Docs(id)  Doc(id)  =  (•••,  nodes(id),  ■  ■  •) 

node(id)  £  nodes(id)  node(id)  =  (id,  attributes,  nodes\,  content,  |  \,£) 

EventHandler CfX(id)  =  (•  ■  ■  ,  some(f?,  idr)) 

ip  =  ayncAPIRetState(R,  £~ ,  idr,v)  E'ct  (id)  =  Ectx(id)[\ P  4=  \P  ::  ip] 

- - - Return-Page 

Ectx  1  T,  ret  v\id;£  — S>  E'ctx\  T,skip  \id;£ 

When  the  returning  event  handler  is  a  blocking  event  handler  in  the  core,  a  new  browser  state  DoneBlkEvtState(f_,  idr,  e,  v) 
is  generated  to  signal  the  completion  of  processing  that  blocking  event. 


Ectx(id)  =  (4  Tabs,  ExtCoreRsCfX(id) ,  •  •  •) 

\P  =  4  ::  ProcBlkEvtState(f_,  idr,e)  ExtCoreRCfX(id)  £  ExtCoreRsCfX(id) 
ExtCoreRCfX(id)  =  (id,  _  ,  EventHandlers  ::  EventHandler  C(X,£) 

EventHandler CfX(id)  =  (•••,  blocking,  some(e,  idr)) 

ip  =  DoneBlkEvtState(f“,  idr,  e,  v)  E'ctx(id)  =  Ectx(id)[\ P  ip] 

Ectx I  r,  ret  v \id-,£  -4  E'ctx\ I\skip \id\£ 


Return-Core-blocking 


Calls  We  model  two  types  of  API  calls:  synchronous  calls  and  asynchronous  calls.  In  general,  a  caller  calls  an  API 
with  an  argument  vector  v.  The  label  checking  for  an  API  call  checks  whether  the  caller  has  permission  to  call  the 
API.  Here,  we  allow  the  caller  to  apply  declassification  capabilities  before  the  call. 


I  =  ctxOfld(I7cte[  T,  APIs(v)  \id,  id)  £  ^  labOf (APIS) 
Ectx\ r,  apis(v) \id;£  -4  rcte[r,void  \id-£ 


SkipAPICall-S 


£  =  ctx0fld(i7cte[  r,  API s(v)  lid,  id) 


i~  =»  labOf (APIS)  Ectx  1  T,APIs(v)  jld  apis  4;  £' 

Ectx\ T,  APIs(v)  |jd; £  A  27';  £  ::  £' 


FireAPICall-S 


£  =  ctxOfld(27cfec[  T,  APIa(v)  lid,  id)  £  ^  labOf (APIa) 
Ectx  1  r,  APia(v)  lw;£  -4  2444  skip \.ld-£ 


SkipAPICall-A 
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There  are  three  asynchronous  API  fire  rules;  each  adds  a  new  event  handler  to  the  context  and  adds  to  the  browser 
state  an  indication  that  the  call  has  fired.  This  state  will  be  processed  using  rule  INTERNALS TATETRANSITION2 
(Section  3.9).  When  calling  an  API,  the  scripts  can  use  declassification  capabilities,  and  therefore  the  browser  state 
associated  with  the  call  has  the  declassified  label.  For  calls  that  include  callback  functions,  the  callback  functions  will 
be  added  as  new  event  handlers  in  the  system.  The  event  type  of  the  event  handler  for  a  callback  function  should 
uniquely  identify  that  function.  Events  triggering  these  event  handlers  will  be  generated  once  the  asynchronous  API 
finishes  and  returns  its  return  result. 


Ectx(id)  =  (’T,  Tabs,ExtCoreRsCfX(id),-  ■  •)  ExtCoreRCfX(id)  £  ExtCoreRsCfX(id ) 

ExtCoreRctx\  T,  APIa(v)  =  (id,  _ ,  EventHandlers ,  £)  t~  C  labOf (APIa) 

!  Kt 

callbackOf  (v)  =  x.cmd 

fresh(idcb)  fresh(idh)  eh  =  ( idh ,  idcb,  x.cmd,  ■,  skip,  void,  nonblocking,  none) 

ExtCoreRCfX  (id)  =  ExtCoreRCfX(id)[EventHandlers  <=  EventHandlers  ::  eh] 

ExtCoreRsctx' (id)  =  ExtCoreRsctx(id)[ExtCoreRsctx(id)  <=  ExtCoreRsCfX  (id)] 
if  =  ayncAPIstate(nt,  idcb,  API a(v)) 

Kix(id)  =  Ectx(id)[ExtCoreRsctx(id)  <=  ExtCoreRs'ctx(id)][^  ^  ::  ip] 

- - - FireAPICall-A-Core 

Sets  |  r,  API  a  (v)  |  jd;  £  -4  E'ctx\Y,  skip  U,  £ 


Ectx(id)  =  (^,  Tabsctx(id),  ■  ■  ■)  tctx(id)  £  Tabsctx(id) 
trtx(id)  =  (•••,  Docsctx(id),  ■  ■  ■)  Docrtr(id)  £  Docsctr(id) 

Docctx(id)  =  (■••,  DocCSsctx(id),  ■  ■  ■)  ' DocCSctx(id)  £  DocCSsctx(id) 

DocCSctx(id)  =  (_,«*,■••,  EventHandlers ctx(id),  i)  l~  C  labOf (APIa) 

£=>  K,t 

callbackOf  (v)  =  x.cmd 

fresh(idcb)  fresh(idh)  eh  =  (idh,  idcb,  x. cmd,  ■,  skip,  void,  nonblocking,  none) 
DocCS'CfX(id)  =  DocCSctx(id)[EventHandlersctx(id)  <=  EventHandlers ctx(id)  ::  eh] 
DocCSs'CfX(id)  =  DocCSsctx(id)[DocCS ctx(id)  <=  DocCS'CfX(id)] 

D°cctx(id)  =  Docctx(id)[DocCSctx(id)  DocCS'cjx(id)] 

t'ctx(id )  =  tctxWlDocct^id)  <*=  Doc'ctx(id)\  =  ayncAPIstate(nt,  idcb,  APIa(v)) 
Ktxjid)  =  Ectx(id)[tctx(id)  <=  t'ctx(id)][ T  ^  ip] _ 

Ectx\T,APIa(v)\ld-£  —A  T, skip lid; f 


FireAPICall-A-CS 


Ectx(id)  =  ('P,  Tabsctx(id),  ■  ■  ■) 

tctx(id)  £  Tabsctx(id)  tctx(id)  =  (idt,  Docs(id),  url,  EventHandlers  ctx(id),-  ■  ■) 
Doc(id)  €  Docs(id)  Doc(id)  =  (■■■,  nodes(id),  ■  ■  •)  node(id)  £  nodes(id) 
node(id)  =  (id,  attributes,  nodes\,  content,!)  I~  Q  labOf (APIa) 

Kt ,  £  =y> 

callbackOf  (v)  =  x.cmd 

fresh(idcb)  eh  =  (id,  idcb,  x.cmd,  ■,  skip,  void,  nonblocking,  none) 
tctx(id)  =  tctx(id)[EventHandlersctx(id)  •<=  EventHandlersctx(id)  ::  eh) 
if  =  ayncAPIstate(nt,  idcb,  APIa(v)) 

sctx(id)  =  Ectx(id)[tctx(id)  <=  t'ctx(id)][^  <=  V  ::  if] _ 

Ectx\T,APIa(v)\id-£  —A  E'ctx\T,  sk\p\id-,£ 


FireAPICall-A-Page 
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3.4  Event  Enqueue  Rules 

Fire  nonblocking  stateless  events  For  each  handler  eh  of  e,  the  system  adds  e  to  the  event  queue  of  the  handler  eh. 
If  the  event  is  not  linked  to  any  browser  state,  it  can  be  processed  regardless  of  the  browser  state. 

e  is  not  a  blocking  event  E  =  ('F,  Tabs,  ExtCoreRs,  ■  ■  •) 

E'  =  E\ExtCoreRs  4=  ExtCoreRs  <\q  e]\Tabs  4=  Tabs  <\n  el 

- - — - - —  EventFireI 

E-,£  ::  e  -4  E'-£ 

The  following  rule  enqueues  a  nonblocking  event  that  can  only  be  processed  at  certain  browser  states.  Further, 
after  going  through  all  the  extensions,  the  browser  moves  to  the  next  state. 

For  instance,  ip  =  ws.responseStarted(ft,  idt,  idd,  idn ,  ide' ,  url,  info')  is  related  to 
e  =  (ide' ,  webRequest.onResponceStarted,  none,  info' ,  k)  (ip  ~  e),  and  the  next  browser  state  ip  is  ws.completed(-  •  •). 

e  is  not  a  blocking  event 

E  =  ('F,  Tabs,  ExtCoreRs,  ■  ■  •)  \F  =  \F/  ::  ip  ip  ~nb  e  (ip' ,  e!)  =  nextState(/0,  void) 

E'  =  E\\ 1/  ::  ip']\ExtCoreRs  4=  ExtCoreRs  Oq  el[Ta6s  Tabs  <Iq  el 

- - - — - - - — - — - EventFire2 

E-£  ::  e  -4  E';£  ::  e' 

We  may  also  use  nextStateC  to  advance  state.  In  the  following  rule,  besides  the  event  queues  of  the  event  handlers, 
updates  other  parts  of  the  system  as  well. 

e  is  not  a  blocking  event  E  =  (\F,  Tabs,  ExtCoreRs,  ■  ■  •) 

\F  =  \E ip  ip  e  E'  =  E[ExtCoreRs  4=  ExtCoreRs  <q  e][Tabs  4=  Tabs  <3q  e] 

(E",£  i)  =  nextStateC^',  ip) 

- - - EventFire3 

E;£  ::  e  -4  E"-£  ::  £x 

Fire  blocking  events  that  have  no  blocking  handlers  In  Chromium,  only  extension  cores  contain  blocking  event 
handlers.  Given  a  blocking  event,  the  non-blocking  handlers  with  a  label  higher  than  the  event’s  and  the  blocking 
handlers  with  a  label  the  same  as  the  event’s  can  process  the  event.  The  browser  can  only  move  to  the  next  state  after 
all  the  blocking  handlers  have  processed  the  event.  If  there  is  no  blocking  event  handler  with  the  same  label  as  the 
event’s,  after  enqueuing  the  event  to  all  its  handlers,  the  browser  can  advance  to  the  next  step  directly. 

e  is  a  blocking  event  E  =  ('F,  Tabs,  ExtCoreRs,  •  •  •)  \F  =  \F '  ip  ip  e 
WExtCoreR  £  ExtCoreRs,  EHs  =  getActiveHandlers(ExtCoreR,  e), 

\/eh  €  EHs,  labOf(e/i)~  =  labOf(e)  =>  isBlocking(eh)  =  false 

(ip',  e')  =  nextStatei^,  void)  E'  =  ,F[’F  IF7  ::  ip'][ ExtCoreRs  4=  ExtCoreRs  On  e] 

- - - EventFireNonBL 

E;£  ::  e  -4  E'-£  ::  e' 

Fire  a  blocking  event  There  must  exist  at  least  one  blocking  handler  with  the  same  label  as  the  event’s.  The  browser 
enqueues  the  event. 

e  is  a  blocking  event  E  =  (\F  ::  ip,  Tabs,  ExtCoreRs,  •  •  •)  ip  ^ f,  e 
BExtCoreR  €  ExtCoreRs,  EHs  =  getActiveHandlers(ExtCoreR ,  e), 

3 eh  £  EHs,  isBlocking(eh)  =  true  A  labOf(eli)-  =  labOf(e) 

E'  =  ElExtCoreRs  -4=  ExtCoreRs  <q  el 

- - - EventFireBL 

E-£  ::  e  -4  E'\£ 
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Blocking  handler  finished  (1)  All  the  blocking  handlers  for  the  event  have  finished  processing  the  event,  and  none 
of  them  returns  a  value  to  change  the  browser  behavior.  The  browser  moves  to  the  next  step  using  nextstate  based  on 
the  browser  state  related  to  the  event. 

e  is  a  blocking  event  e  ip  E  =  ('k,  Tabs ,  ExtCoreRs ,  •  •  •)  \I/  =  *3/i  ::  t/>  :: 

$ip  £  vEt,  s.t.i/j  =  ProcBlkEvtState(_  ,  _  ,  e)  or  DoneBlkEvtState(-  •  • ,  e,  _  ) 

\I/ 2  contains  matching  pairs  of  ProcBlkEvtState(_  ,  idr ,  e)  and  DoneBlkEvtState(_  ,  idr,  e,  0) 

MExtCoreR  £  ExtCoreRs,  EHs  =  getActiveHandlers(ExtCoreR,  e), 

Veft  £  EHs,  labOf(eh)~  =  labOf(e)  A  is  Blocking  (eh)  =  true,  e  ^  Qof(eh) 
iM>'  ,£ i)  =  nextState(t/>,  noChange)  E'  =  £I[T'  4=  Vki  ::  ip'] 

- - - - BlockFinishedI 

E;£  -4  E'-£  ::  £x 

Blocking  handler  finished  (2)  All  the  blocking  handlers  for  the  event  have  finished  processing  the  event.  Every 
blocking  handler  with  the  same  label  as  the  event’s  has  returned  a  value.  The  system  chooses  the  return  value  that 
comes  from  the  last  installed  extension’s  handler.  Then  the  browser  moves  to  a  new  state  according  to  the  current 
browser  state  and  the  selected  return  value.  £i  denotes  the  subsequent  events  triggered. 

e  is  a  blocking  event  E  =  (Tu  Tabs,  ExtCoreRs,  •  •  •)  \1/  =  \I/i  ::  -t/r  ::  SI/2 

$ip  £  \l/i,  s.t.ip  =  ProcBlkEvtState(_  ,  _  ,  e)  or  DoneBlkEvtState(-  •  • ,  e,  _  ) 

^2  contains  matching  pairs  of  ProcBlkEvtState(_  ,  idi,  e)  and  DoneBlkEvtState(_  ,  idi,  e,  c,) 

VExtCoreR  £  ExtCoreRs,  EHs  =  getActiveHandlers(ExtCoreR,  e), 

Ve/i  £  EHs,  labOf(eh)~  =  labOf(e)  A  is  Blocking  (eh)  =  true,  e  ^  Qof(eh) 
getLastInstalledReturn(A>2)  =  (n,  idj,Cj)  s.t.  Cj  7^  0 
(ip',£i)  =  nextState(t/>,  Blocked(c,))  E'  =  X’fT'  Tr  ::  1//] 

- - - BlockFinished2 

E-£  -4  E’-£  ::  £x 

3.5  Event  Dequeue  Rules 

Dequeue  an  event  in  CS  In  content  scripts,  after  finishing  the  processing  of  an  event,  a  handler  dequeues  the  next 
event  e  in  its  event  queue.  If  e’s  label  is  not  lower  than  the  hosting  content  script’s  label,  e  will  be  discarded;  else,  the 
event  handler  starts  processing  e.  As  long  as  e  is  processed  by  the  handler,  the  hosting  content  script  label  is  tainted 
with  e’s  label. 


Ectx(id)  =  (^,  TabsCfx(id),  ■  ■  •)  tctx(id)  £  Tabsctx(id) 
t-ctx(id)  =  (•••,  Docsctx(id),  •  •  •)  Docctx(id)  £  Docsctx(id) 

Docctx(id)  =  (-..,  DocCSsctx(id),  ■  ■  •)  DocCSctx(id)  £  DocCSsctx(id) 

DocCSCfX(id)  =  (_  ,  id,  _  ,  |  |,  EventHandlers  ::  ehCfX,  i) 

ehctx  =  (•,  eventType,x.cmd,  e  ::  £\,  [|,  ide,  BlockingFlag ,  return) 

labOf(e)  %i*  e^ctx=  (•,  eventType,x.cmd,£i,\\,ide,  BlockingFlag,  return) 

DocCS'ctx(id)  =  DocCSctx(id)[ehctx  4=  eh'ctx ] 

DocCSs'ctx(id)  =  DocCSsctx(id)[DocCSctx(id)  4=  DocCS'ctx(id)\ 

Docctx('id)  =  DocCfX(id)[DocCSsCfX(id)  <=  DocCSs'ctx(id)\ 
t’ctx  {id)  =  tctx(id)[Docctx(id)  <=  Docctx(id)\ 

Ktxiid)  =  Ectx(id)[tctx(id)  <=  t'ctx(id)\ _ 

Ectx\  T,  skip  1  id ;  £  -4  r'telr,skip|id;f 


EventDequeueCS 1 
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Ectx{id)  =  (*k,  Tabsctx(id),  ■  ■  ■)  tctx(id )  G  Tabsctx(id ) 
tctx(id)  =  (•••,  Docsctx(id),  ■  ■  ■)  Docctx(id)  G  Docsctx(id) 

Docctx{id)  =  (•••,  DocCSsctx{id),  ■  ■  •)  DocCSctx(id)  G  DocCSsctx(id) 
DocCS CfX{id)  =  (_  ,  id,  _  ,  [  |,  _  ,  EventHandlers  ::  ehCfX,  £) 
ehctx  =  (•,  event  Type,  x.cmd,  e  ::  £\,  [[,  zde,  BlockingFlag,  return') 
e  —  (id'e,  event  Type,  return,  •  ■  ■  ,ne)  Ke  C  £* 

=  Ke  >tnt  f  eft  =  (•,  event  Type,  x.  cmd,  £i,  [|,  zde,  BlockingFlag ,  return) 
DocCS'ctx{id)  =  DocCSctx{id)[ehctx  <=  eh'ctx][£  4=  £’] 

DocCSs'cix(id)  =  DocCSsctx(id)[DocCSctx(id)  4= 

Doc'ctx(id)  =  Docctx{id)[DocCSctx{id)  4=  DocCS'ctx{id )] 
tftx  {id)  =  te(*d)[I>occfcr(zd)  4=  Docctx{id)\ 

Ktxiid)  =  Fctx{id)[tctx{id)  4=  t'ctx(id )] _ 

Ectx\  r,skip  \id;£  updLl^’e  ]  E’ctx\T,cmd[e/x]  \id;£ 


EventDequeueCS2 


Dequeue  an  event  in  Core  In  extension  cores,  after  finishing  processing  of  an  event,  a  handler  dequeues  the  next 
event  e  in  its  event  queue.  A  non-blocking  event  handler  can  process  an  event  if  the  event’s  label  is  lower  than  the 
handler’s  hosting  extension  core’s  label.  A  blocking  event  handler  can  process  an  event  and  generate  a  new  browser 
state  ProcBlkEvtState(«;e,  idr,  e)  if  its  label  (after  necessary  floating)  is  the  same  as  the  event’s,  where  ne  is  e’s  label 
and  idr  is  a  fresh  random  string.  As  long  as  e  is  processed  by  the  handler,  the  hosting  extension  core’s  label  is  tainted 
with  e’s  label. 

If  a  handler  cannot  process  an  event  due  to  label  checking,  the  event  will  be  discarded. 


E ctx{id )  =  (’k,  Tabs,  ExtCoreRsCfX{id),  ■  ■  ■)  ExtCoreRctx{id)  G  ExtCoreRsctx{id) 

ExtCoreRCfX{id)  =  {id,  ([  |,  _  ,  EventHandlers  ::  ehCfX),£) 

ehctx  —  (■>  event  Type,  x.cmd,  e  ::  £\,  ||,  ide ,  nonblocking,  return) 

labOf{e)  [2  t*  ehctx  =  (">  eventType,  x.cmd,  £\,  [  |,  ide,  nonblocking,  return) 

ExtCoreRctx' {id)  =  ExtCoreRctx{id)[ehctx  4=  etictx\ 

ExtCoreRsCfX  {id)  =  ExtCoreRsCfX{id)[ExtCoreRsCfX{id)  4=  ExtCoreRsCfX  {id)\ 
KtxW  =  Ectx{id)[ExtCoreRsctx(id)  -4=  ExtCoreRs'ctx{id)\ 

Ectx\  r,skip  \id-,£  -4  r'te[r,skiP \id-,£ 


EventDequeueCore 1 


Ectx{id)  =  (’k,  Tabs,  ExtCoreRsCfX{id),  _  ,  Exts  ::  Ext,  ■  •  •) 

ExtCoreRCfX{id)  G  ExtCoreRsctx{id) 

ExtCoreRCfX{id)  =  {id,  ([|, _  ,  EventHandlers  ::  ehctx),£) 
ehctx  —  (■>  eventType,  x.cmd,  e  ::  £\,  H,  ide ,  nonblocking,  return) 
e  =  (ide,  eventType,  return1 ,  •  ■  ■ ,  ne)  ne  Cf  £'  =  ne  >tnt  £ 

Ext  =  {id,  •  •  ■  ,£a)  ehCfX  =  {■,  eventType,  x.cmd,  £\,  ||,  ide,  nonblocking,  return') 

ExtCoreRctx' {id)  =  ExtCoreRctx{id)[ehctx  <=  eh'ctx\l£  4=  £'] 

ExtCoreRsctx  {id)  =  ExtCoreRsctx{id)[ExtCoreRsctx{id)  4=  ExtCoreRsctx  {id)\ 

Ext'  =  Ext[£s  4=  {labOf{e)  ^ tnt  is)] 

E'ctx{id)  —  Ectx{id)[ExtCoreRsctx{id)  4=  ExtCoreRs'rtx{id)][Ext  -4=  Ext'] 

- — - - EventDequeueCore2 

Ectx\T,  skip  \id- £  updL^e'~i  27'J  r,  cmd[e/x)  \id-,£ 
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Ectx(id)  =  (viz,  Tabs,  ExtCoreRsCfX{id ),  ■  ■  ■) 

ExtCoreRctx(id)  G  ExtCoreRsctx(id ) 

ExtCoreRCfX(id )  =  (id,  ([  |,  _  ,  EventHandlers  ::  ehCfX),i) 

ehctx  =  (•,  event  Type,  x.cmd,  e  ::  E\,  ||,  ide,  blocking,  return) 

labOf(e)  ^  £~  eh'ctx  =  (■,  eventType,  x.cmd,  £ i,  Q  Q ,  ide,  blocking,  return) 

ExtCoreRctx  (id)  =  ExtCoreRctx(id)[ehctx  <=  eh'ctx\ 

ExtCoreRsCfX  (id)  =  ExtCoreRsCfX(id)[ExtCoreRsCfX(id)  4=  ExtCoreRsCfX  (id)\ 
E'ctx(id)  =  Ectx(id)[ExtCoreRsCfx(id)  4=  ExtCoreRs'C{X(id)\ 

I7cte[r, skip  lid; £  -4  r'te|r,skip[id;£ 


EventDequeueCoreBlockingI 


E ctx(id)  =  (ll/,  Tabs ,  ExtCoreRsCfX(id ),  •  •  •) 

ExtCoreRCfX(id)  G  ExtCoreRsCfX(id) 

ExtCoreRctx (id)  =  (id,  (\\,  -  ,  EventHandlers  ::  ehCfX),l) 
ehctx  =  (■)  eventType,  x.cmd,  e  ::  £\,  [|,  ide,  blocking,  return) 
e  =  (ide,  eventType,  return,  ■  ■  ■ ,  Ke) 

ne=£ ~  fresh(idr)  =  ProcBlkEvtState(«;e,  idr,  e) 

eh'ctx  =  (■)  eventType,  x.cmd,  £\,  ||,  id'e,  blocking,  some(e,  idr)) 

ExtCoreRctx  (id)  =  ExtCoreRctx(id)[ehctx  <=  eh'ctx\ 

ExtCoreRsctx  (id)  =  ExtCoreRsctx(id)[ExtCoreRsctx(id)  <=  ExtCoreRsctx  (id)\ 
E'ctx(id)  =  Ectx(id)[ExtCoreRsctx(id)  <=  ExtCoreRs'ctx(id)][ \Hr  ::  tp] 

Ectx\ T,skip \ld;£  — s>  E'ctx\ T,  cmd[e/x\  jid;£ 


EventDequeueCoreBlocking2 


Dequeue  a  page  event  In  page  scripts,  after  finishing  processing  of  an  event,  a  handler  dequeues  the  next  event  e  in 
its  event  queue.  There  are  two  types  of  script  handlers:  inline  handlers  and  the  handlers  added  using  “addEventLis- 
tener”.  Here  we  model  the  second  type  of  handlers.  If  e’s  label  is  not  lower  than  the  hosting  page  script  node’s  label, 
e  will  be  discarded;  else,  the  event  handler  starts  processing  e.  As  long  as  e  is  processed  by  the  handler,  the  hosting 
page  script  node’s  label  is  tainted  with  e’s  label. 


Ectx(id)  =  ('S,  Tabsctx(id),  ■  ■  ■)  tctx(id)  G  Tabsctx(id) 
tctx(id)  =  (id t,  Docs env (id),  url,  EventHandlers  ::  ehctx(id),  _) 
ehctx(id)  —  (id,  eventType,  x.cmd,  e  ::  £\,  Q  Q ,  ide,  BlockingFlag,  return) 

Docenv(id)  G  Docsenv(id)  Docenv(id)  =  (•••,  nodes env (id),  -  ■  •) 

nodeenv(id)  G  nodesenv(id)  nodeenv(id)  =  (id,  |,  £)  labOf(e)  %  l* 

i-ctx('id)  =  tctx(id)[ehctx(id)  <=  ehctx(id)]  Ecix(id)  =  Ectx(id)[tctx(id)  <=  tctx  m 

Dctxj  T,  skip  lid;  £  -4  r'tjr,skip[jd;£ 


EventDequeuePage  1 
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Sctx(id)  =  ('f,  Tabsctx{id),  ■  •  ■)  tctx{id)  e  Tabsctx(id) 

tctx(id)  =  (idt,  Docsenv{id),  url,  EventHandlers  ::  ehCfX{id),£  1  ::  e,  _  ) 

Docenv{id)  €  Docsenv{id)  Docem{id )  =  (•■■,  nodes env {id),  -  ■  ■) 
nodeenv(id)  €  nodesenv(id)  node  env  {id )  =  {id,  attributes,  nodes  i,  content,  [[,  f) 

e/iCfX  =  (id,  eventType,x.cmd,  e  ::  £\,  [|,  ide,  BlockingFlag,  return') 
e  =  (id'e,  eventType,  return,  •  ■  ■ ,  ne)  ne  C  £* 

(!  =  Ke  \>tnt  Z  eh-ctx  =  {id-i  eventType,  x.cmd,  £\,  ||,  ide,  BlockingFlag,  return) 
nodeem,{id)  =  {id,  attributes,  nodes\,  content,  H,^) 

Docs'em,{id)  =  Docsenv{id)[nodeenv{id)  <=  nodeenv{id )] 
i,ctx{  id)  =  tctx{id)[Docctx{id)  4=  Docctx{id)\ 

^ ctx{id )  =  £‘ctx{id)\tctx{id)  ^c£t(*^)] 

-S’ctel  r, skip  l*d; £*  r'tjr,  cmrf[e/x]  !*;£: 


EventDequeuePage2 


3.6  Special  Event  Processing  Rules 

Sending  data  The  browser  sends  a  web  request  to  the  server  and  the  request  is  accepted  by  the  server. 


e  =  sendToSever,  {url,  ide),  n) 

- - - - - — - - HeaderReceivedByServer 

H  ::  {url,  listen;  ax  exp);  E;£  w  e  sendTo  *TfLj.url'r,K'  n  (urZ,  exp[r/a;]);  E;£ 

Receiving  data  The  web  server  sends  header  information  to  the  browser.  When  the  header  arrives  at  the  browser, 
the  browser  generates  an  internal  browser  state  so  the  data  is  processed  later. 


fresh{id)  k  =  labFrom{url)  e  =  {id,  headerSent,  none,  info,  k) 

— - - - -  ServerSndHdr 

S  ::  {url,  sendHeader(Zi);  exp);  E;£  serverSn<^^der(?l>K  n  {url,  exp);  E;£  we 

The  browser  has  sent  a  web  request  header  to  a  server;  it  has  a  browser  state  ws. headerSent (k,  idcb,ide,  url,  info) 
and  is  waiting  for  the  header  from  the  server.  Upon  receiving  a  headerSent  event  e,  if  e  and  ws.headerSent(«;,  idcb,ide,  url,  info ) 
are  paired  (through  info),  the  browser  steps  from  the  ws.headerSent(-  •  •)  state  to  a  headerRecved(-  •  •)  state,  and  issues 
a  webRequest.onHeadersReceived  event. 

We  know  that  k  C  labFrom{url)  as  we  checked  labels  when  the  web  request  was  initialized.  And  by  default, 
k  =  labFrom{url)  (see  rule  ServerSndHdr). 

E  =  (\f ,  •  •  •)  d/  =  'T1  ::  ws.headerSent(ft,  idcb,  ide,  url,  info) 
e  =  {id,  headerSent,  none,  info,  k)  if  =  headerRecved(wZ,  idcb,n  Wm  k1) 

fresh{ide)  e'  =  {ide,  webRequest.onHeadersReceived.  none,  info,  k) 

■ - - - - - headerRecvd 

E;£  ::  e  -4  i7[<f  4=  dT  ::  tp\;£  ::  e! 

The  server  sends  content  to  the  browser. 


fresh{id)  k  =  labFrom{url) 
5  ::  {url,  sendContent(Zi);  exp);  E;  £ 


e  =  {id,  contentSent,  none,  info,  k) 

serverSndContent(c,/‘c)  „  ,  ,  , 

— ►  ::  {url,  exp);  E;  t  ::  e 


ServerSndCont 
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The  browser  receives  content  and  generates  an  internal  state  to  indicate  that  the  content  needs  to  be  processed  later. 

E  =  (T1,  •  •  •)  e  =  (id,  contentSent,  none,  info,  k)  if  =  contentRecved(w(,  info,  k) 

- - - contentRecvd 

E;£  ::  ip\,£ 

3.7  Browser  State  Transitions 

The  sequence  of  transitions  starts  when  a  web  request  is  made,  either  because  of  an  update  to  a  tab’s  URL;  or  due  to 
requests  made  to  obtain  external  resources  during  DOM  tree  construction;  or  because  of  a  DOM  write  that  updates  a 
node  and  requires  contacting  remote  servers. 

3.7.1  Deciding  Whether  to  Send  webRequest 

Here  the  browser  is  going  to  fetch  an  object  such  as  a  script  or  an  image  for  a  DOM  node.  The  node  is  assigned  with  the 
external  object’  URL.  The  node  and  a  readyToFetch  state  were  created  during  the  DOM  tree  creation  procedure  (see 
CreateDOC(2))  or  added  by  a  script  (DomAppendChildren(I)).  The  readyToFetch  state  has  several  arugments 
and  has  the  form:  readyToFetch (n,  ( idt ,  idd,  idn),  urlres ).  where  n  is  the  simplified  node  label,  (idt,  idd,  idn )  indi¬ 
cates  which  node  is  going  to  load  the  object,  and  urlres  is  the  external  object’s  URL.  If  the  resource  fetching  is  allowed, 
the  browser  implicitly  launches  a  web  request  call  and  generates  a  ws.beforeRequestjrc,  idcb,  (idt,  idd,  idn),  ide,  info,  url) 
state. 


E  =  (T1  ::  ip,  Tabs  ::  t,  ■  ■  ■)  ip  =  readyToFetch(ft,  ( idt ,  idd,  idn),  url) 
t  =  (idt,  Docs  ::  Doc,  u rl\,  _  ,  If)  Doc  =  (idd,  url,  nodes ,  DocCSs,  \,  id) 
node  Gb  nodes  node  =  (idn,  ■  ■  ■  ,£n)  NetDeclassify  (£n~ )  C  labFrom(url) 
ip'  =  webRequestGet(K,  •,  (idt,  idd,  idn),  info,  url)  E'  =  E[ip  •<=  ip'] 
nextStateC(X\  readyToFetch(«;,  idt,  idd,  idp,  url))  =  E'\  ■ 


fetchAllowed 


The  object  is  not  allowed  to  be  loaded  in  a  node.  We  still  keep  the  node,  because  it  may  have  sub-nodes. 


E  =  (d/  ::  ip,  Tabs  ::  t,  ■  ■  •) 

ip  =  readyToFetch(K,  (idt,  idd,  idn),  urlres )  t  =  (idt,  Docs  ::  Doc,  url\,  _  ,  if) 

Doc  =  (idd,  url,  nodes,  DocCSs,  x,  id)  node  Gb  nodes 

node  =  (idn,  ■  •  •  ,£n)  NetDeclassify (in~)  %  labFrom(urlres)  E'  =  JCKI/  ::  ip  <=  ’Ll 

- - - - - - — - - - - - fetchBlocked 

nextStateC(T',  readyToFetchjK,  idt,  idd,  idp,  urlres ))  =  E  ;  e  =  • 

Now  the  system  has  a  readyToFetch  Doc  state  with  arguments  (k,  idt, ', url).  It  means  the  browser  is  going 
to  load  a  new  top-level  document  to  a  tab.  £t  is  the  tab’s  label,  k  is  the  readyToFetch  Doc  state’s  label,  url  is  the 
top-level  document’s  URL.  Given  it,  k,  and  url,  computeLabel  works  as  follows:  if  £t  =>  labFrom(url),  it  outputs 
it  Wm  labFrom(url):  else,  it  outputs  0.  We  don’t  check  whether  n  C  labOf  (url),  as  k  comes  from  £t,  and  n  could  be 
not  lower  than  labFrom(url)~ . 

If  computeLabel' s  output  is  not  equal  to  0,  then  the  system  will  allow  the  top-level  document  to  be  loaded  to  the 
tab.  A  new  blank  document  will  be  created  and  added  to  the  tab.  The  system  will  transfer  from  the  readytoCreateDoc 
state  to  a  ws.beforeRequest  state. 
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S  =  ('I'  ::  ip,  Tabs  ::  t,  ■  ■  ■)  t  =  ( idt ,  Docs ,  urlt,  ■  ■  ■ ,  £t) 

ip  =  readyToFetchDoc(re,  idt,  •,  •,  url)  =  computeLabel  (£t,  re,  url ) 

4*^0  fresh(idd)  Docnew  =  (idd,  url,  Id)  Docs' =  Docs  ::  Docnew 
“doc"  £  info  ip'  =  webRequestGet(re,  •,  (idt,  ■,  •);  inf°,  url) 
f7  =  <[-Docs  ■£=  -Docs7][ur/t  url]  S'  =  S[t  <=  t')[ip  <=  ip'] 

nextStateC(I7,  readyToFetchDoc(re,  idt,  •>  ■,  url)  =  S';  ■ 


FetchDocAllowedTop 


If  the  output  of  computeLabel  is  an  empty  set,  the  top-level  document  cannot  be  loaded.  The  system  then  discards 
the  readyToFetchDoc  state. 


S  =  (T'  ::  ip,  Tabs  ::  t,  ■  ■  ■)  t  =  (idt,  Docs,  urlt,  ■  ■  ■ ,  it) 
ip  =  readyToFetchDoc(re,  idt,  ■,  ■,  url ) 
computeLabel  (£t,  k,  url)  =0  S'  =  S[ip  4=  ■] 
nextStateC(£\  readyToFetchDoc(re,  idt,  -,  -,  url)  =  S';  ■ 


FetchDocBlockedTop 


The  to-be-fetched  doc  is  an  iframed  sub-doc.  We  need  to  consider  the  policy  composition  problem  when  generating 
the  new  doc’s  label.  As  defined  in  Section  1.3,  the  function  computeFrameLab  takes  four  arguments,  the  iframe’s 
label,  the  embedded  page’s  label,  the  generalized  CSP,  and  the  url  of  the  framed  page.  Note  that  the  iframe  is  a  node 
of  its  parent  doc,  so  the  iframe’s  label  is  the  node’s  label.  The  embedded  page’s  label  comes  directly  from  its  URL. 
If  the  output  of  computeFrameLab  is  not  an  empty  set,  then  the  fetching  of  the  sub-doc  is  allowed.  Here  we  do  not 
check  whether  re  C  labFrom(urlj:ramecf)  as  re  comes  from  labOf  (idn). 


A7  =  (\R  ::  ip,  Tabs  ::  t,  ■  ■  ■)  t  =  (idt,  Docs,  ■  ■  •) 

ip  =  readyToFetchDoc(re,  idt,  idp,  idn,  urlj?rame ^)  Doc  £  Docs 

Doc  =  (-,-,  nodes,  -  ,\, -)  node  £  nodes  node  =  (idn,-  ■  ■  ,£n) 

£d  =  co  mp  ut  eFrameLa  b(£n,  lab  From  (url frame ,  X,  ur^ framed)  ^  0 

fresh (idd)  Docnew  =  (idd,  url framed’  ‘ >  ‘ ‘ >4*)  Docs'  =  Docs  ::  Docnew 

fresh(ide)  ip’  =  webRequestGet(re,  •,  (idt,  idd,  idn),  ide,  info1,  urlj-rame(j) 

“Doc"  £  info ,  t'  =  tlDocs  Docs']  S'  =  S[t  4=  t'][ip  <=  ip'] 

- - - - - - - FetchDocAllowedSub 

nextStateC(H,  readyToFetchDoc(re,  idt,  idp,  idn,  urLramec j)  =  S  ;  ■ 

The  output  of  computeFrameLab  is  an  empty  set,  then  the  fetching  of  the  sub-doc  is  blocked. 


S  =  (H/  ::  ip,  Tabs  ::  t,  ■  ■  ■) 

ip  =  readyToFetchDoc  (re,  idt,  idp,  idn,  url^rame(j) 
t  =  (idt,  Docs,  ■  ■  ■)  Doc  £  Docs 

Doc  =  (_  ,  _  ,  nodes,  _  ,  x,  -  )  node  £  nodes  node  =  (idn,  ■  ■  ■ ,  £n) 
computeFrameLab (£n,  labFrom(urhmmecf),x ,  ur^framed^  =  0  S'  =  S[ip  <=  •] 

- - - - - - - - - - - - - FetchDocBlockedSub 

nextStateC(27,  readyToFetchDoc(re,  idt,  idp,  idn,  urDramec j)  =  S  ;  ■ 

3.7.2  Web  State  Transitions 

For  blocking  handlers,  we  will  restrict  that  only  the  handler/core  with  the  same  label  as  the  event/state  can  return  a 
value.  So  we  don’t  need  to  check  the  label  in  nextState. 
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For  web  requests  for  loading  external  objects/pages,  we  check  whether  they  can  go  out  according  to  the  rules 
in  Section  3.7.1.  For  web  requests  issued  by  calling  HTTP  WebRequest  APIs,  we  check  whether  they  can  go  out 
in  the  HTTPWebRequest  asyAPICall  rules.  So  given  a  web  request  related  browser  state  ws.  *  (k,  ■  ■  ■ ,  url .  _  )  from 
an  entity  with  label  l,  by  default,  we  have  £  =>  labFrom(url)~ .  However,  it  is  not  necessary  to  require  that  k  C 
labFrom(url)  . 

Before  the  request  is  sent  ws.beforeRequest(-  •  •)  is  abrowser  state  related  to  ablocking  event  webRequest. onBeforeRequest(-  •  •). 
updates  is  the  selected  output  from  all  the  blocking  handlers  for  the  event.  The  browser  decides  which  is  the  next  step 
based  on  updates. 


A7  =  (\P  ::  -0,  -  -  •)  ip'  =  ws.beforeRequest(«,  ■,  (idt,  idd ,  idn),  ide,  info ,  urlres) 
fresh(ide)  info1  =  (ide,  info) 

e  =  (ide,  webRequest. onBeforeRequest,  none,  info1,  k)  S'  =  S[ip  4=  ip'] 
nextStateC(.F,  webRequestGet(re,  ( idt ,  idd,  idn),  info,  urlres))  =  S'\  e 


WebrequestAPIFire 


updates  =  void  or  noChange 

fresh(ide')  i p'  =  ws.beforeSendHeader(/«,  idcb,  (idt,  idd,  idn),  ide' ,  url ,  info) 

e  =  (ide\  webRequest. on BeforeSend Headers,  none,  info,  n) 

nextState(ws.beforeRequest(/«,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  updates)  =  ip' ,  e 


NS-Ws-BR(l) 


updates  =  Blocked(redirect,  url i)  m/o2  =  updatelnfo(m/o,  updates) 
fresh(ide')  ’ip'  =  ws. b efore Request. red i reef (n,  idcb,  (idt,  idd,  idn),  ide' ,  url\,  info2) 
e  =  (ide\  webRequest. onBeforeRedirect,  none,  info2,  k) 

nextState(ws.beforeRequest(«;,  idc b,  (idt,  idd,  idn),  ide,  url,  info),  updates)  =  ip' ,  e 


NS-Ws-BR(2) 


updates  =  Blocked(cancel)  info2  =  updatelnfo (inf o ,  updates) 

idcb  =  •  fresh(ide')  ip'  =  ws.failed(«,  idcb,  (idt,  idd,  idn),  ide  ,  url,  info2) 

e  =  (ide',  webRequest. onErrorOccurred,  none,  info2,  k) 

nextState(ws.beforeRequest(ft,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  updates)  =  ip' ,  e 


NS-Ws-BR(3a) 


updates  =  Blocked(cancel)  idcb  ^  ■  info2  =  updatelnfo(m/o,  updates) 
fresh(ide’)  fresh(ide")  ip'  =  ws.failed(re,  idcb,  ( idt ,  idd,  idn),  ide' ,  url,  info2) 
e!  =  (ide  ,  webRequest. onErrorOccurred,  none,  info2 ,  n)  e"  =  (ide" ,  idcb,  none,  info2,  n) 

nextState(ws.beforeRequest(K,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  updates)  =  ip' ,  e!  ::  e" 


NS-Ws-BR(3b) 


fresh(ide')  ip'  =  ws.beforeRequest(«;,  idcb,  (idt,  idd ,  idn),  ide  ,  url,  info) 
e  =  (ide',  webRequest. onBeforeRequest,  none,  info,  k) 
nextState(ws.beforeRequest.redirect(re,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  void)  =  ip' ,  e 


NS-Ws-BR(4) 


27 


Before  the  header  is  sent  The  state  that  relates  to  the  blocking  event  webRequest.on  BeforeSend Headers  is  ws.beforeSend  Header. 
Depending  on  whether  there  are  blocking  event  handlers,  and  the  result  returned  by  these  handlers,  the  nextState  func¬ 
tion  advances  to  different  states.  Here,  we  also  generate  an  external  event  denoting  that  data  is  send  across  the  network. 


updates  =  void  V  noChange 

fresh(ide')  ip'  =  ws.headerSent(fc,  idcb,  ( idt ,  idd ,  idn),  ide' ,  url,  info ) 
e  =  (ide' ,  webRequest.onSendHeaders,  none,  info,  k)  e!  =  (_,  sendToSever,  (url,  ide'),  k') 

nextState(ws.beforeSendHeader(«;,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  updates )  =  ip' ,  e  ::  e 


NS-Ws-BSH(l) 


The  following  rule  applies  when  the  event  handler  blocks  the  header.  The  blocking  handler  can  rewrite  the  header. 


updates  =  B\ocked(newHeader,  header)  info'  =  updatelnfo(zn/o,  updates) 
fresh(ide')  ip'  =  ws.headerSent(ft,  idcb,  (idt,  idd,  idn),  idj ,  url,  info') 
e  =  (ide’ ,  webRequest.onSendHeaders,  none,  info' ,  k)  e'  =  (_,  sendToSever,  ,  ,  k') 

nextState(ws.beforeSendHeader(«,  idcb,  ( idt ,  idd,,  idn),  ide,  url,  info),  updates)  =  ip' ,  e  ::  e' 


NS-Ws-BSH(2) 


The  following  rule  applies  when  one  of  the  event  handlers  cancels  the  web  request. 


updates  =  Blocked(Cancel))  info'  =  updatelnfo(m/o,  updates) 

idcb  =  •  fresh(ide  )  ip'  =  ws.failed(ft,  idcb,  (idt,  idd,  idn),  ide  ,  url,  info  ) 

e  =  (ide’ ,  webRequest.onErrorOccurred,  none,  info' ,  k) 

nextState(ws.beforeSendHeader(/c,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  updates)  =  ip' ,  e 


NS-Ws-BSH(3a) 


updates  =  Blocked  (Cancel))  idcb  7^  •  info'  =  updatelnfo(m/o,  updates) 
fresh(ide)  fresh(ide  )  ip'  =  ws.failed(/c,  idcb,  (idt,  idd,  idn),  ide  ,  url,  info  ) 
e!  =  (ide  ,  webRequest.onErrorOccurred,  none,  info' ,  k)  e"  =  (ide  ,  idcb,  none,  inf  o' ,  k) 

nextState(ws.beforeSendHeader(«;,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  updates)  =  ip' ,  e!  ::  e" 


NS-Ws-BSH(3b) 


Receiving  header  After  header  is  sent,  the  browser  will  receive  a  header  from  the  server.  The  following  two  rules 
are  the  first  place  the  header  is  received. 


fresh(ide')  ip'  =  ws.headerReceived(«;,  idcb,  (idt,  idd,  idn),  ide  ,  url,  info') 
e  =  (ider ,  webRequest.onHeadersReceived,  none,  inf  o' ,  k) 

nextState(headerRecved(wf,  idt,  idd,  idn,  re),  •)  =  ip' ,  e 


NS-Ws-HS 


Processing  header  Once  the  header  is  received,  the  browser  transitions  to  a  blocking  state,  updates  comes  from  the 
blocking  handlers. 


ip'  =  ws.headerRecvllpdated(«;,  idcb,  (idt,  idd,  idn),  ide,  url,  info,  updates) 
nextState(ws.headerReceived(K,  idcb ,  (idt,  idd,  idn),  ide,  url,  info),  updates)  =  ip' ,  ■ 


NS-Ws-HR 


We  allow  a  blocking  event  handler  to  update  the  header.  In  the  following  rule,  the  web  request  is  for  loading  an 
external  object  (not  a  page).  The  header  does  not  contain  any  CSP.  However,  the  header  may  contain  commands  for 
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setting  cookies,  info  and  updates  contain  cookie  setting  commands  from  the  original  header  and  the  blocking  event 
handlers  respectively. 


D  =  {%■■■) 

\P  =  'f'”  ::  ws.headerRecvllpdated(«;,  idcb,  ( idt ,  idd,  idn),  ide,  url,  info ,  updates) 
updates  =  void  V  noChange  V  B\ocked(newHdr ,  header) 
info '  =  updatelnfo(m/o,  updates) 

'Ll  =  processCookieCmds(K,  info ,  updates)  header  is  for  an  object 
fresh(ide')  if'  =  ws.responseStarted(K,  idcb,  {idt,  idd,  idn),  ide  ,  url,  info') 
e  =  ( id  J ,  webReci  uest.on  ResponceStarted .  none,  info'  ,n) 

']/'  =  'P"  ::  if'  ::  ^  E'  =  27[>P  <=  V] 

nextStateC(27,  ws.headerRecvUpdated(/t,  idcb,  {idt,  idd,  idn),  ide,  url,  info ,  updates))  =  E' ,  e 


NS-Ws-HR-Upd(I) 


If  the  header  is  for  a  document,  we  extract  the  CSP  from  the  header,  and  recompute  the  label  for  the  document. 
Note  that  the  CSP  is  an  additional  layer  of  policy  applied  on  top  of  the  policies  represented  by  the  original  document 
label  id-  The  CSP  can  only  tighten  the  existing  constrains  of  £d-  We  leave  this  function  definition  abstract.  The 
generalized  CSP  could  be  augmented  to  include  additional  information  as  to  how  to  restrict  the  label  of  the  doc. 


E  =  (\P,  Tabs,  ■  ■  ■) 

US'  =  vp"  ::  ws.headerRecvUpdated(«;,  idcb,  {idt,  idd,  idn),  ide,  url,  info ,  updates) 

Tabs  =  Tabs"  ::  t  t  =  {idt,  Docs  ::  Doc, 

Doc  =  {idd,  -  updates  =  void  V  noChange  V  Blocked(new.ffdr,  header) 

header  is  for  a  doc  info'  =  updatelnfo(m/o,  updates) 

fresh{ide')  if'  =  ws.responseStarted(£^  ,  idcb,  {idt,  idd,  idn),  ide  ,  url,  info') 
x'  =  getCSP {info,  updates) 

IPi  =  processCookieCmds(K,  info,  updates)  £'d  =  computeNewLabelfx' ,£d) 

Doc  =  Doc[x  <=  x'}  [Hd  <=  £'d\  t'  =  t[Doc  4=  Doc]  SSt'  =  T,//  ::  if'  ::  \ki 

E'  =  E[t  4=  f,][\P  vP']  e  =  {idj ,  webRequest.onResponceStarted,  none,  info',  k) 

nextStateC(i7,  ws.headerRecvUpdated(K,  idcb,  {idt,  idd,  idn),  ide,  url,  info ,  updates))  =  if' ,  e 


NS-Ws-HR-Upd(2) 


The  browser  enters  a  failed  state  if  the  CSP  blocks  everything  including  the  content  from  the  to-be-fetched  doc 
itself.  This  situation  is  not  likely  to  happen  if  by  default  any  CSP  will  support  its  host  page’s  URL. 


E  =  (\P,  Tabs,  ■  ■  •) 

T'  =  vp"  ::  ws.headerReceived(«;,  idcb,  {idt,  idd,  idn),  ide,  url,  info). updates 

Tabs  =  Tabs  ::  t  t  =  {idt,  Docs  ::  Doc,  _)  Doc  =  {idd,  -  ,  -  ,  -  ,X,^d) 

updates  =  void  V  noChange  V  Blocked(neiuff(ir,  header)  header  is  for  a  doc 

\Pi  =  processCookieCmds(K,  info,  updates)  info'  =  updatelnfo(m/o,  updates) 
x'  =  getCSP  {inf o ,  updates)  0  =  computeNewLabel{x'  ,£d)  fresh{idj) 

if'  =  ws.failed(K,  idcb,  {idt,  idd,  idn),  ide  ,  url,  info2)  =  ’P"  ::  if'  tPi 

E'  =  i7[\P  4=  tP']  e  =  {ide',  webRequest.onErrorOccurred,  none,  info2,  n) 

nextStateC(27,  ws.headerRecvllpdated(K,  idcb,  {idt,  idd,  idn),  ide,  url,  info ,  updates))  =  if' ,  e 


NS-Ws-HR-Upd(3) 
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E  =  (*3/,  Tabs,  ■  ■  ■) 

<3/  =  \E'//  ::  ws.headerReceived(ft,  idcb,  ( idt ,  idd,  idn),  ide,  url,  inf o) .updates 

Tabs  =  Tabs  ::  t  t  =  {idt,  Docs  ::  Doc,  _)  Doc  =  (idd,  -  ,X,^d) 

updates  =  void  V  noChange  V  Blocked (newHdr,  header)  header  is  for  a  doc 

\1/ !  =  processCookieCmds(ft,  info,  updates)  info'  =  updatelnfo(m/o,  updates) 

x'  =  getCSP(m/o,  updates)  0  =  computeNewLabel(x' ,i<i) 

fresh(ide)  fresh(ide  )  if'  =  ws.failed(K,  idcb,  (idt,  idd,  idn),  ide  ,  url,  info2) 

H/'  =  tH"  ::  if'  ::  E'  =  E(^  4=  '3/'] 

e  =  (ide' ,  webRequest.onErrorOccurred,  none,  info2,  k)  e'  =  (ide" ,  idcb ,  none,  info2,  k) 
nextStateC(27,  ws.headerRecvllpdated(/r,  idcb,  (idt,  idd,  idn),  ide,  url,  info ,  updates))  =  if' ,  e  ::  e! 


NS-Ws-HR-Upd(4) 


Content  arriving  When  the  browser  receives  the  content  from  the  server,  the  web  request  is  completed.  The  browser 
goes  to  the  next  state.  It  is  a  afterFetchedDoc  state  if  the  web  request  loads  a  page.  Else,  it  is  a  afterFetched  state. 


£  =  (*.••■) 

T'  =  H/i  ::  contentRecved(wZ,  content ,  k)  ::  ws.responseStarted(/ci,  idcb,  (idt,  idd,  idn),  ide,  url,  info) 
fresh(ide') 

if'  =  ws. completed^  l±l m  ki,  idcb,  (idt,  idd,  idn),  ide  ,  url,  info' ,  content)  idcb  =  • 
e  =  (ide' ,  webRequest.onCompleted,  none,  inf  o' ,  k  Wm  «i)  E1  =  27[\I/  4=  *3/i  ::  if'] 

nextStateC(Z’,  ws.responseStarted(«;1,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  •)  =  E’ ,  e 


NS-Ws-RS(l) 


'T  =  i&i  ::  contentRecved(wrZ,  content,  k)  ::  ws.responseStarted(Ki,  idcb,  (idt,  idd,  idn),  ide,  url,  info) 
fresh(ide  ) 

fresh(ide  )  if'  =  ws.completed(«;  l±l m  ki,  idcb,  (idt,  idd,  idn),  ide  ,  url,  info  ,  content) 
idcb  7^  •  e  =  (ide' ,  webRequest.onCompleted,  none,  inf  o' ,  k  l±l  m  Ki) 
e;  =  (ide” ,  idcb,  none,  inf o' ,  k  Wm  «i)  E'  =  TZfT'  4=  Ti  ::  if'] 

nextStateC(Z’,  ws.responseStarted(Ki,  idcb,  (idt,  idd,  idn),  ide,  url,  info),  •)  =  E' ,  e  ::  e! 


NS-Ws-RS(2) 


“doc”  G  info  framePolicy  G  info  if'  =  afterFetchedDoc(ft,  idt,  idd,  framePolicy,  content) 
fresh(ide')  e  =  (ide\  DOM.beforeLoad,  none,  info,  k) 

P  /  /  /  \  \  \  _/  ^ —  S — 

nextState(ws.completed(Av,  idcb,  ( idt ,  idd,  idn),  ide ,  url ,  info ,  content ),  •)  =  ip  ,  e 


idn  •  A  “doc”  £  info  if'  =  afterFetched (a,  idt,  idd,  idn,  content) 
fresh(ide')  e  =  (ide',  DOM.beforeLoad.  none,  info,  n) 
nextState(ws.completed(ft,  idcb,  (idt.,  idd,  idn),  ide,  url,  info,  content),  •)  =  if' ,  e 


NS-Ws-C-Node 


3.7.3  Content  Loading 

Content  fetched  from  server  is  loaded  to  a  node.  The  node  is  not  a  script  node. 
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E  =  (\F  ::  ip,  Tabs,  Exts,  ExtCoreRs,  ■  ■  •) 

Tabs  =  t  ::  Tabs\  t  =  ( idt ,  Docs  ::  Doc,  urli,  _  ,  _  ,  Itab) 

ip  =  afterFetched(/r,  idt,  idd,  idn,  content )  Doc  =  ( idd ,  nodes,  •  •  •) 

node  £  nodes  node  =  (idn,  attributes ,  -,  contentn,  £n)  type  £  attributes 

type  ^  script  £'n  =  k  \>tnt  £n  node  =  node[contentn  4=  content,  £n  <= 

nodes  =  nodes[node  <=  node  ]  Doc  =  Doc[nodes  <=  nodes  } 

ip'  =  ■  t'  =  t[Doc  <=  Doc]  E'  =  E[t  <=  t'][ip  <=  ip'] 

nextStateC(I7,  afterFetched(/-c,  idt,  idd,  idn,  content)  =  E'\  ■ 


Contentloading 


A  script  is  loaded  to  a  node.  The  browser  extracts  event  handlers  from  the  script. 


E  =  (tF  ::  ip,  Tabs,  Exts,  ExtCoreRs,  ■  ■  •) 

Tabs  =  t  ::  Tabs\  t  =  ( idt ,  _  ,  Docs  ::  Doc,  _  ,  Event-Handlers ,  ■  ■  •) 

ip  =  afterFetched(«;,  idt,  idd,  idn ,  content)  Doc  =  (idd,  nodes,  ■  •  •) 

node  £  nodes  node  =  ( idn ,  attributes,-,  contentn,  in)  type  £  attributes 

type  =  script  £'n  =  k  \>tnt  £n  node  =  node[contentn  4=  content,  £n  4=  £'n J 

nodes  =  nodes[node  <=  node  ]  Doc  =  Doc[nodes  4=  nodes  ] 

EventHandlers  =  registerHandlers(EventHandlers ,  content) 
ip'  =  ■  t'  =  t[Doc  <=  Doc  ([EventHandlers  <=  EventHandlers '] 

E'  =  E[t  <=  t'][ip  <=  ip'] 

fresh(ide)  e  =  (ide,  DOM.scriptLoaded,  (idt,  idd,  idn), (!  ) 

' - - - - - - - - ContentLoadingScript 

nextStateC^Z1,  afterFetched(«;,  idt,  idd ,  idn ,  content)  =  E' ;  e 

After  fetching  the  content  for  a  page,  the  browser  is  ready  to  create  the  page’s  DOM  tree. 


fresh(id)  ip'  =  readytoCreateDoc(iiit,  idd,  id,  content,  n) 
e  =  (id,  webNavigation.onCommitted,  none,  info,  k) 

nextState(X',  afterFetchedDoc(K,  idt,  idd ,  idn,  ide,  content))  =  ip’;  e 


ContentLoadingDoc 


Create  the  DOM  tree  Next,  the  browser  creates  the  DOM  tree  and  injects  content  scripts.  DOM  tree  creation 
contains  three  phases,  DocBegin,  DocEnd,  and  Doddle.  At  each  phase,  the  browser  only  injects  the  content  scripts 
that  are  set  to  run  in  this  phase. 


E  =  (if,  Tabs  ::  t,  Exts,  ExtCoreRs,  •  •  •) 

iF  =  rFi  ::  ip  t  =  (idt,  Docs  ::  Doc,  Doc  =  (idd,  url,  nodes,  DocCSs,  x,  £) 

%p  =  readytoCreateDoc(r«,  idt,  idd,  content)  tpi  =  DocBeginjft,  idt,  idd,  content) 

DocCSs i  =  injectCSAll(Exts,  proglnjCSs,  idt,  idd,  DocBegin) 

Doc  =  Doc[DocCSs  <=  DocCS i]  t'  =  t-[Doc  <=  Doc]  E'  =  E[t  4=  t'] [VF  -4=  rFj  ::  ip{] 

nextStateC(JE,  readytoCreateDoc(«,  idt,  idd,  content))  =  E';  ■ 


CreateDoc(I) 


In  CreateDOC(2),  a  DOM  tree  is  constructed  as  the  browser  renders  a  page.  A  node  could  load  a  single  piece 
of  external  content  (e.g.,  an  image  or  a  text  file)  or  an  iframed  page.  When  a  node  that  requires  a  single  piece  of 
external  content  is  created,  a  corresponding  readyToFetch  state  is  generated  as  well.  The  node’s  label  and  the  state’s 
label  are  computed  based  on  the  node’s  parent’s  label.  When  an  iframe  node  is  created,  the  system  will  generate  a 
corresponding  readyToFetch  Doc  state.  The  node’s  label  is  computed  based  on  its  parent’s  label  and  the  iframe  policy 
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set  by  the  parent  node.  The  readyToFetchDoc  state’s  label  is  computed  merely  based  on  the  node’s  label.  After 
generating  the  DOM  nodes,  and  the  readyToFetch  and  readyToFetchDoc  states  ,  the  document’s  status  proceeds  from 
DocBegin  to  DocEnd  without  loading  external  objects  and  subpages. 


£  =  (\I/,  Tabs  ::  t,  Exts,  ExtCoreRs ,  •  •  •)  T  =  r&i  ::  tp 

ip  =  DocBegin(ft,  idt,  idd ,  content)  (T'2,  t')  =  domTreeCreation{content ,  t) 

t'  =  {idt,  Docs  ::  Doc,  Doc  =  {idd,  url,  nodes,  DocCSs,  x,  t) 

ipi  =  DocEnd(«;,  idt,  idd)  DocCSs  1  =  injectCSAll{Exts,  proglnjCSs,  idt,  idd,  DocEnd) 

Doc  =  Doc[DocCSs  <=  DocCSs  ::  DocCSi ] 

t2  =  t'[Doc  <=  Doc  )  £'  =  £[t  <=  <2][\Ir  <=  ^1  "  ipi  ::  ^2] 

nextStateC(£’,  DocBegin(«;,  idt,  idd,  content))  =  £'\  ■ 


CreateDoc(2) 


£  =  (T1,  Tabs  ::  t,  Exts ,  ExtCoreRs,  •  •  •)  T  =  ::  t  =  {idt,  Docs  ::  Doc,  _  ,  _  ,  _ 

Doc  =  {idd,  url,  nodes,  DocCSs,  x,D)  ip  —  DocEnd(ft,  idt,  idd) 

ipi  =  Docldle(K,  idt,  idd)  DocCSsi  =  injectCS All{Exts ,  proglnjCSs ,  idt,  idd,  Doddle) 

Doc  =  Doc[DocCSs  <=  DocCS  ::  DocCS  1] 

t '  =  t\Doc  <=  Doc]  £'  =  £[t  <=  <=  't'l  ::  ipi) 

nextStateC(T',  DocEnd(«;,  idt,  idd))  =  £' ',  ■ 


) 


CreateDoc(3) 


Content  Script  Injection  When  document  state  changes,  both  the  scripts  in  the  extensions  and  programmatically 
injected  scripts  get  a  chance  to  be  injected  to  the  page.  injectCSExts{Exts ,  idt,  idd,  docState)  extracts  the  content 
scripts  that  can  be  executed  in  the  page  with  tab  ID  idt  and  Doc  ID  idd  from  extensions  Exts.  If  an  extension  is  active, 
the  content  scripts  to  be  injected  are  extracted  from  the  extension’s  static  content  scripts.  If  an  extension  is  inactive, 
none  of  its  content  scripts  will  be  injected  to  the  page. 


DocCSs  1  =  injectCS  Exts  {Exts,  idt,  idd,  docState) 

DocCSs2  =  injectCSs {proglnjCSs,  idt,  idd,  docState) 
injectCS  All  {Exts,  proglnjCSs,  idt,  idd,  docState)  =  DocCSs  1  ::  DocCSs2 


InjectCSsAll 


- - - - - InjectCSExts-Nil 

injectCS Exts {■,  idt,  idd,  docState)  =  ■ 


DocCSsi  =  injectCS  Exts  {Exts,  idt,  idd,  docState) 

DocCSs2  =  injectCS  Ext  {Ext,  idt,  idd,  docState) 
injectCS  Exts  {Exts  ::  Ext,  idt,  idd,  docState)  =  DocCSs  1  ::  DocCSs  2 


InjectCSExts-Cons 


Ext  =  (_  ,  _  ,  ExtCSs,  _  ,  active,  £)  DocCSs  =  injectCSs{ExtCSs ,  idt,  idd,  docState) 
injectCS  Ext  {Ext,  idt,  idd,  docState)  =  DocCSs 


InjectCSExt-  active 


Ext  =  ExtCSs,  -  ,  inactive,  t) 

- - - - - InjectCSExt-inactive 

injectCSExts{Ext,  idt,  idd,  docState)  =  ■ 
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injectCSs{- ,  idt,  idd ,  docState)  =  ■ 


InjectCSs-Nil 


DocCS  =  injectCS  {ExtCS ,  idt, id ,  docState) 

DocCSs  =  injectCSs{ExtCSs ,  idt,  id,  docState) 

injectCSs{ExtCSs  ::  ExtCS,  idt,  idd,  docState)  =  DocCS  ::  DocCSs 


InjectCSs-Cons 


The  content  script  stored  in  an  installed  extension  has  an  empty  tab  ID.  If  it  is  allowed  to  be  injected,  we  fill  in  the 
hosting  tab  ID  in  the  place  of  the  empty  tab  ID.  The  programmatically  injected  scripts  have  a  tab  ID  associated.  This 
tab  ID  has  to  be  the  same  as  the  tab  ID  argument.  Similarly,  we  compute  the  label  for  the  script  and  associate  a  fresh 
ID  with  it.  We  do  not  inject  a  script  if  the  labels  prevent  such  injection. 


ExtCS  =  {id ext,  idcs,  ■,  T,  cmd,  EventHandlers,  runat,  ti)  runat  =  docState 
Doc  =  {idd,  url,  _  ,  _  ,  x,  id)  i'i  =  computeResLab(url,  id~  ,X,  i  i>  id  ext) 
fresh{id)  DocCS  =  {idext,  idcs,  id,  T,  cmd,  EventHandlers,  (\) 

injectCSs{ExtCS ,  idt,  idd,  docState)  =  DocCS 


InjectCSs-Inj-Ext 


ExtCS  =  {idext,  idcs,  idt,  T,  cmd,  EventHandlers,  runat,  £i)  runat  =  docState 
Doc  =  {idd, url,  -  ,  -  ,x, id)  i'i  =  computeResLab{url,id~  ,X,  £1,  idext) 
fresh{id)  DocCS  =  {id ext,  id cs,  id,  T,  cmd,  EventHandlers,  i^) 
injectCSs{ExtCS ,  idt,  id d docState)  =  DocCS 


InjectCSs-Inj 


ExtCS  =  {idext,  idcs,  idt  ,  T,  cmd,  EventHandlers,  runat,  i\) 

Doc  =  {idd,url,_  ,_  ,x,id)  i'i  =  computeResLab{url,id~ ,X,ii,  idext) 
runat  ^  docState  or  {idt  7^  id t  and  id)  7^  •)  or  i\  =  0 

inj ectCSs {ExtCS ,  idt,  idd,  docState)  =  ■ 


InjectCSs-Discard 


3.8  Browser-specific  Rules 

3.8.1  Rules  for  Accessing  DOM 

DOM  node  details  Scripts  can  not  only  read  and  write  DOM  nodes  but  also  change  the  tree  structure  of  DOM  by 
inserting,  deleting,  and  moving  node  pointers.  We  distinguish  between  labels  related  to  the  structure  of  the  DOM  tree 
and  the  label  for  the  content  stored  in  the  node.  In  the  following,  a  node  contains  four  labels  in  its  attribute  field: 
iparent  is  the  label  for  parent  point,  ichildren  the  label  for  the  children  points,  ipre  the  label  for  the  previous  sibling 
pointer,  and  £SUcc  the  label  for  the  succeeding  sibling  pointer.  For  a  script  to  change  a  node’s  parent  pointer,  the  script’s 
label  must  be  lower  or  equal  to  the  target  node’s  £parent- 

Node  node  ::=  {id,  attributes,  nodes,  content,  i) 

Attributes  attributes  .. —  {type,  url,  iparent,i children,  ipre,  isucc,  *  *  *) 

DomGetNodePointer  Scripts  can  access  DOM  nodes  in  the  same  document.  Scripts  can  refer  to  one  or  a  list 
of  elements  by  attributes  (e.g.,  node  ID  and  tag)  through  the  document. getElements*  API.  For  example,  with  “var 
myList  =  document. getElementsByTagName(“p”)”,  my  List  refers  to  the  pointers  of  the  nodes  with  tag  “p”.  To  get 
the  value  of  a  specific  node  property  prop  of  a  node,  one  can  use  a  command  like  “value  =  myList[0].prop”,  where 
myList[0]  is  the  pointer  to  the  target  node. 

In  this  rule,  we  model  the  document. getElementsBy*  APIs  with  domAPI.getl\lodePointer(zdt,  idd,  query),  idt 
and  idd  indicate  to  which  tab  and  doc  the  caller  script  belongs.  Different  document.getElementsBy*  APIs  match  to 
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different  querys.  E.g.,  for  “var  myList  =  document. getElementsByTagName(”p”);”,  query  should  be  “TagName,  p”. 
pointersOf(nodes)  denotes  the  pointers  of  nodes. 

A  script  could  attemp  to  leak  secrets  by  affecting  the  return  results  of  such  queries.  For  instance,  if  a  secret  script 
deleted  a  node  with  tag  “p”,  an  attacker  that  used  the  API  to  return  all  pointers  to  nodes  with  tag  “p”  can  observe  the 
elements  returned  and  know  whether  the  first  script  have  deleted  the  element.  Mitigate  this  leak,  we  assume  this  is 
a  lable  assigned  to  each  query.  When  the  return  results  change,  the  label  of  the  qeury  will  reflect  that  change.  For 
instance,  there  is  a  global  label  for  elements  with  tag  “p”.  When  one  program  with  label  l  \  deletes  an  element  with  tag 
“p”,  then  the  label  for  the  quey  is  updated  to  be  tainted  by  the  label/!.  In  practice,  this  data  structure  needs  to  be  built 
and  maintained  by  the  browser  runrume. 

If  the  caller’s  label  is  lower  than  the  label  of  the  query,  the  system  returns  the  matching  nodes’  pointers.  The 
caller’s  label  gets  tainted  by  the  matching  nodes’  labels.  Otherwise,  the  execution  gets  stuck. 


£ctx(id)  =  (’f,  Tabs  ::  tctx(id),  ■  ■  ■) 

£  =  ctxOfld(X,cte[  T,  let  x  =  domAPI.getNodePointer(zcZt,  idd ,  query)  in  cmd  | id,  id) 
k  =  £*  t  =  ( idt ,  Docs  ::  Doc,  •  •  •) 

Doc  =  ( idd ,  ■  ■  ■)  kq  =  \abOfQ(query ,  Doc)  kq~  C  k 

nodesi  =  QueryNodes (query ,  Doc)  E'ctx(id)  =  updat e(Sctx(id),  kq  \>tnt  £) 

Sctxj  r,  let  x  =  domAPI.getNodePointer(*dt,  idd,  query)  in  cmd 

ca  II  (dom  API.  get  NodePointer,  (idt,  id  d,guery),pointersOf(  nodes  i),kq)  .  -n  ,r  ■  r\rt  ,  \  /  1  n 

— Lctx  1 1 ,  cma [pointersOf  (noaesij/zj  [j id]  ■ 


DomGetNodePointer 


Dctx(id)  =  (’P,  Tabs  ::  tctx(id),  ■  ■  ■) 

£  =  ctxOfld(X,cte[  T,  let  x  =  domAPI.getNodePointer(zc/t,  idd,  query)  in  cmd  id) 
k  =  l*  t  =  (idt,  Docs  ::  Doc,  ■  ■  •) 

Doc  =  (idd,  •  •  ■)  kq  =  \abOf Q(query,  Doc)  kq~  %  k 

Dctx\  r,  let  x  =  domAPI.getNodePointer(zdt,  idd,  query)  in  cmd  stuck 


DomGetNodePointerS 


DomNodeRead  Given  a  pointer  to  a  node,  a  property  value  of  the  node  is  read  through  a  command  like  “value  = 
myList[0].prop’’.  name  is  the  property  name.  The  system  returns  the  value  if  the  node’s  label  is  lower  than  k.  The 
caller’s  label  gets  tainted  by  the  node’s  label.  Or  else,  the  system  gets  stuck. 


Dctx(id)  =  (’f,  Tabs  ::  tctx(id),  ■  ■  ■) 

£  =  ctxOfld^cfecJ  T,  let  x  =  domAPI.readNode(zc/t,  idd,  idn,  name)  in  cmd  [ id,  id) 
k  =  £*  t  =  (idt,  Docs  ::  Doc,  ■  ■  ■) 

Doc  =  (idd,  ■  ■  ■)  node  €  Doc  node  =  (idn,  ■  ■  ■  ,£n)  £n~  G  k 

result  =  getPropertyValue(noc?e,  name)  E'ctx(id)  =  updat e(Sctx(id),£n~  >tnt  £) 
Dctx\  E,  let  x  =  domAPI.readl\lode(ziit,  idd,  idn,  name)  in  cmd 

ca!l(domAPI. readNode, (idt, idd,id,n, name), result, Cn~)  ^  n  .  .  .  n 

— ►  sctx  1  r>  cmd[result/x\  lid;  ■ 


DomNodeRead 


DomNodeWRITE(I)  A  script  is  allowed  to  update  the  content  of  a  node  if  its  label  is  lower  than  the  node’s  label. 
In  this  rule,  the  script  updates  the  whole  node,  and  can  assign  the  node  with  a  new  label  which  should  be  lower  than 
the  script’s  label.  DomNodeWrite  API  does  not  return  any  value. 
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Zctxiid)  =  ('L,  Tabs  ::  tctx(id),  ■  •  •) 

£  =  ctxOfld(X,cte[  T,  domAPI.writel\lode(zdt,  idd,  idn,  content' ,  K\)  [id ,  id)  n  =  £~ 
t  =  ( idt ,  _  ,  Docs  ::  Doc,  •  •  ■) 

Doc  =  (idd,  -  ,  nodes,  _  ,  _  )  node  €&  nodes  node  =  (idn,  _  ,  _  ,  content,  £node ) 

E  ^node  node  —  (’ldn,  -  ,  -  ,  Content  ,  K\  (^tnt  £node ) 

.Doc/  =  -Doc[node  4=  node')  t'  =  t[Doc  4=  Hoc/]  Sctx(id)'  =  Sctx(id)[t  4=  t'] 
Sctx\  T,  domAPI.writel\lode(zdt,  zdd,  idn,  content' ,  K\)  [id 

call(domAPI.  writeNode,(idi ,  idd,  idn,  content' ,  ,  „  n 

— ►  ^cta:I r,  skip  lid;  - 


DomNodeWrite(I) 


DomNodeWRITE(2)  A  script  fails  to  write  something  to  a  node  by  assignment.  Label  check  fails,  or  the  target 
node  does  not  exist.  DomNodeWrite  API  does  not  return  any  value. 


Dctx(id)  =  ('L,  Tabs  ::  tctx(id),  ■  ■  •) 

l  —  ctxOfld(X,cte[  T,  domAPI.writel\lode(idt,  idd,  idn ,  content' ,  K\)  [id,  id) 
t  =  (idt,  -  ,  Docs  ::  Doc,  •  •  •)  Doc  =  (idd,  -  ,  nodes,  _  ,  _  ) 

0node  £  nodes  s.t.  node  =  (idn,  ■  ■  •)) 

or  (3node  £  nodes  s.t.  node  =  (idn,  ■  ■  ■ ,  £node )  and  K  %  £node*) 

Dctx\  T,  domAPI.writeNode(zdt,  idd,  idn,  content' ,  K\)  | id 

ca\\(domAP\.wr\teNode, (idt, idd,idn, content' ,ni)  n  -n  .  n 

— S>  2jctx  \  T,  skip  ;• 


DomNodeWrite(2) 


DomGetChildren  This  API  returns  the  set  of  pointers  of  the  children  of  a  node.  The  caller’s  label  must  be  lower 
than  or  equal  to  the  children  point  label  of  the  node;  otherwise,  the  program  is  stuck. 


Dctx(id)  =  ('L.  Tabs  ::  t.ctx(id),  ■  •  •) 

£  =  ctxOfld(27ctx[  T,  let  x  =  domAPI.getChildren(idt,  idd,  idn)  in  cmd  [id,  id) 
k  =  £*  t  =  (idt,  Docs  ::  Doc,  ■  ■  •) 

Doc  =  (idd,  ■  ■  •)  node  £  Doc  node  =  (id„,  nodes,  (•  •  •  ,£children,  ■  ■  •)>  ■  ■  ■  ,£n) 

£  children  1=  n  D ctx(id)  —  Lipdat  ^(Dctx  (id),  £  children  P*  tnt  T) 

Sctx\  T,  let  x  =  domAPI.getChildren(zdt,  idd,  idn)  in  cmd  [id 

call(domAPI.getChildren,  (idt,  idd,  idn), poirttersOf  (nodes), £children~)  n  „  ,r  ■  rsr/  ,  \i  in 

— >  Acte|  I ,  cmd[pointersOf  (nodes)  jx)  f^;  • 


DomGetChildren 


DomGetParent  This  API  returns  a  node’s  parent  pointer,  if  the  caller’s  label  is  lower  than  or  equal  to  the  node’s 
parent  pointer  label.  Otherewise,  the  execution  gets  stuck. 


DomGetParent 

Zctx(id)  =  (’L,  Tabs  ::  tctx(id),  ■  •  •) 

£  =  ctxOfld(I7cte[  T,  let  x  =  domAPI.getParent(zdt,  idd,  idn)  in  cmd  [id,  id)  k  =  £* 
t  =  (idt,  Docs  ::  Doc,  ••  •)  Doc  —  (idd,-  ■  ■)  node  £  Doc  node  =  (idn,(- ■■  ,£parent,- ■■),■■■  ,£n) 

£parent  !=  tv  p  —  patentOf  (id,  Doc)  D  ctx(id)  —  updat &(  Dctx  (id),  £  parent  ^  tnt  £) 

Sctx\  T,  let  x  =  domAPI.getParent(zdt,  idd,  idn)  in  cmd  [id 


all(domAPI.getParent,(idt,idd,*dn),p,^pore„(  ) 


Ktxl  T,  cmd[po\ntersOf(idParent)/x\  [,d; 
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DomGetPreSibling  Get  a  node’s  previous  sibling. 


DomGetPreSibling 

Ectx{id)  =  (^,  Tabs  ::  tctx{id),  ■  •  •) 

i  =  ctxOfld(Z’cte|  T,  let  x  =  domAPI.getPreviousSibling(ziit,  idd,  idn)  in  cmd  [j^,  id) 
k  =  £*  t  —  ( idt ,  Docs  ::  Doc,  ■  •  •)  Doc  =  {idd,  ■  ■  •) 

node  £  Doc  node  =  (idn,  (•  •  • ,  £pre,  •••)>■•  • ,  £n)  £Pre  Qn  p  =  preSiblingOf(zd„,  Doc) 

E ' ctx{^d)  Update(J7 ctx{^d),£pre  ^ tnt  £) 

Ectx\  F,  let  x  =  domAPI.getPreviousSibling(zdt,  idd,  idn)  in  cmd  \id 

callfdomAPl.getPreviousSibling^idijidd.idnbp.tpre-)  ,  „  ,  ,  ,  „ 

— >  sctxlr,  cmd \p/x\\id;- 


DOMAppendChildren  Append  a  child  node  to  a  node  node.  node\  is  the  to-be-appended  node,  node i  has  a  label 
l\  which  can  be  lower  than  k.  When  the  domAPl.appendChild  API  call  is  issued,  in  the  rule  FireAPICall-S2,  we 
make  sure  that  labOf(no<iei)  is  lower  than  k. 

DOMAppendChildren:  Successfully  appends  node i  to  node.  There  are  three  cases:  a)  the  node  will  not  load 
contents  from  a  server;  b)  the  node  will  load  an  external  object,  for  example,  an  image;  c)  the  node  will  load  a  page 
into  an  iframe.  For  case  lb,  a  readyToFetch  state  will  be  generated.  For  case  lc,  a  readyToFetchDoc  state  will  be 
generated. 

DomAppendChildren(  a) 

Dctx{id)  =  (’P,  Tabs  ::  tctx(id),  ■  ■  ■) 

£\  =  ctxOfld(27cte[  F,  let  x  =  domAPI.appendChild(zdt,  idd,  idn ,  node \,£\)  in  cmd  [ id,  id) 
n  =  £\~  t  =  {idt ,  -  ,  Docs  ::  Doc,  ■  ■  •) 

Doc  =  {idd,  -  ,  nodes,  _  ,  _  )  node  £b  nodes  node  =  {idn,  (•  •  • ,  £ children ,  ■  ■  ■)>  nodes i,  ■  ■  ■ ,  £n) 

node  i  =  {idi,  {■  ■  ■  ,£Parent,  £pre, -  ,£i)  $url  £  attributes 

K  L  £  children.  C  T  bparent  C  L  £pre  £succ  —  nextSl  bleOf  ( last(  nodeS\ ))  K  G  £SUcc 

Doc  =  Doc[node  <=  append  {node,  node ^)]  t’  =  t[Doc  <=  Doc]  E'ctx{id)  =  Ectx{id)[t  <=  t'] 

Ectx\  T,  let  x  =  domAPI.appendChild(ziit,  idd,  idn,  node \,£\)  in  cmd 

call(domAPI.appendChild,( idt ,idd  ,idn  ,node\ ,ti),pointersOf(node \  ),k)  .  n  ,  „ 

— Dctx\  T,  cma [pointersOf {node1) / x\  f^;  * 


DomAppendChildren(b) 

Dctx{id)  =  ('P,  Tabs  ::  tctx{id),  ■  •  •) 

£  =  ctxOfld(X,cta;[  F,  let  x  =  domAPI.appendChild(zc!t,  idd,  idn,  node \,£\)  in  cmd  \id,  id) 
k  =  i\  ~  t  =  {idt,  -  ,  Docs  ::  Doc,  •  •  ■) 

Doc  =  {idd,  -  ,  nodes,  _  ,  _  )  node  £b  nodes  node  =  {idn,  {■  ■  ■ ,  £chUdren,  *  •  •)>  nodes i,  •  •  • ,  £n) 
node  i  =  {id\,  (•  •  • ,  £  parent ,  £pre ,  ’),  -  ,£\)  ur l  G  attributes  “ doc "  ^  attributes 

ipi  =  readyToFetch(K,  {idt,  idd,  idn),  url)  k  C  £chudren*  nQ£  parent  A  IT  £pre 

£succ  =  nextSibleOf(last(no<iesi))  n  C  £suc c*  Doc'  =  Doc[node  <=  append  {node,  node[ )] 

t'  =  t\Doc  <=  Doc  ]  E'ctx{id)  =  E ^{id)]^  A=  ^  ::  t/'i][f  <=  t'] 

Ectx\  T,  let  x  —  domAPI.appendChild(ziit,  idd,  idn,  nodei,£i)  in  cmd 

caU(6orr\AP\.apper\dCU\\d,(idt,idcL,idn,nodei,£i),po\ntersOf(node'1),K,)  .  . 

— Ectx |  T,  cmd\po\nte'csOt{node1)/x\  [l(z;  • 


36 


Sctx(id)  =  (’P,  Tabs  ::  tctx(id),-  •  •) 

t  =  ctxOfld(£’cte[  T,  let  x  =  domAPI.appendChild(i(it,  idd,  idn,  nodes, (i)  in  cmd  \id,  id) 

k  =  i\~  t  =  ( idt ,  _  ,  Docs  ::  Doc,  ■  •  •)  Doc  =  (idd,  -  ,  nodes,  _  ,  _  ) 

node  Gf ,  nodes  node  =  ( idn ,  (•  •  • , (children,  -  ■  •)>  nodes  1,  •  •  •  ,(n) 

node i  =  (id\,  (■  ■  •  ,£parent,(pre,  ■),  -  ,(i)  url  G  attributes 

“doc"  G  attributes  ips  =  readyToFetchDoc(«,  idt,  idn,  ids,  url) 

K  ^  ( children  hi  ^  ( parent  hi  ^  (pre  ( succ  —  nextSlbleOf ( laSt(?TO(ieSi)) 

hi  C  l succ *  Doc  =  Doc[node  <=  append  (node,  node\)] 

t'  =  t[Doc  <=  Doc]  E'ctx(id)  =  Ectx(id)\^>  <=  Ik  ::  ips][t  <=  t'] 

Ectx [  r,  let  x  =  domAPI.appendChild(zdt,  idd,  idn,  node s,(i)  in  cmd  \id 

call(domAPI.appendChild,(idf  ,idd,idn,nodei  ,^i),pointersOf(node^),Ac)  ,  . 

— >  -S'ctel  r,  cma[pointersOf(noae1)/xJ  |jd;  • 


DomAppendChildren(c) 


DomRemoveChild  A  scrip  can  remove  the  child  node  from  a  node  if  all  labels  that  need  to  be  updated  after  the 
node  is  removed  are  lower  than  or  equal  to  the  scripts  labe.  That  is,  the  labels  of  the  parent,  children,  pre-sibling, 
and  next-sibling  allow  it.  Finally,  we  need  to  update  the  query  set  labels  that  are  affected  by  the  removal  of  the  node. 
Function  updateQ(Doc,  n,  nodec)  taints  all  the  labels  for  queries  that  are  affected  by  the  removeal  of  nodec.  For 
instance,  if  the  node  removed  has  a  tag  “p”,  then  the  label  for  the  query  “p”  needs  to  be  updated. 


Ectx  (id)  =  Tabs  ::  tctx(id),-  ■  ■) 

(  =  ctxOfld^ctaJ  T,  let  x  =  domAPI.removeChild(*dt,  idd,  idp,  idc)  in  cmd  \id,  id) 
k  =  (~  t  =  (idt,  -  ,  Docs  ::  Doc,  ■  ■  ■)  Doc  =  (idd,  -  ,  nodes,  _  ,  _  ) 
node  =  (idp,m,  nodes\  ::  node s  ::  nodec  ::  node 2  ::  nodes 2,  (•  •  • ,  (children, 
node  1  (*  *  * ,  (*  *  * ,  (succ  ,*••),•••)  node 2  (***)(*** ,  ( pre 

hi  [=  (children  hi  ft  (succ  K  El  (pre 

node s  —  node\\(Succ  hi  t>tnt  ^succ]  node2  nodes \(Pre  hi  t>tnt  (Pre\ 
node'  =  (idp,  m,  nodess  ::  node \  ::  node2  ::  nodes2,  (■■■,«;  >tnt  ( children ,  ■  ■  •)>  (p) 
Doc  =  updateQ(Doc[no<ie  4=  node  ],  n,  nodec) 
t!  =  t[Doc  <=  Doc]  Ectx(id)'  =  Ectx(id)[t  <=  t'] 

Ectx [  r,  let  x  =  domAPI.removeChild(i(it,  idd,  idp,  idc)  in  cmd 

call(domAPI.removeNode,(icZt ,  idd,  idp,  id  c),po\ ntersOf(  node),  k) 


node  G  nodes 

),(P) 


DomRemoveChild 


27'ta|r,  cmd[po'\ntersOf(node)/x]  f  • 


3.8.2  Rules  for  Accessing  Bookmarks 

We  adopt  multi-level  bookmarks.  There  are  1 1  methods  in  the  Bookmark  API.  The  first  six  rules  only  query  the  book¬ 
marks  by  using  bookmarkQuery  function.  The  last  five  rules  update  the  bookmarks  using  bookmarkWrite  function. 


Query  bookmarks  First  we  define  an  auxiliary  function  selectBookmark  to  select  a  bookmark  from  the  set  of 
bookmarks  MBookmarks  based  on  labels.  The  selection  criteria  include:  1)  the  label  should  be  lower  than  n;  and 
2)  it  is  the  latest  updated  one  among  the  MBookmarks  with  lower  label  than  «(or  anything  else  depending  on  the 
implementation).  The  function  selectBookmark  returns  a  bookmark  that  satifies  the  above  conditions.  If  no  matching 
bookmarks  can  be  found,  the  function  returns  NONE. 


MBookmarki  =  (bookmarks ,  Ks)  MBookmarks  G  MBookmarks 
V MBookmark  G  MBookmarks  s.t.  labOf  (MBookmark)  EE  n 
\aterlipdated(MBookmarks,  MBookmark)  =  true 

bookmarks  =  se\ectBookmark(MBookmarks,  n) 


Ki  EE  K 


SelectBookmark 
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BookmarkGet:  Get  a  set  of  bookmark  items  based  on  their  IDs.  Given  MBookmarks  and  n,  we  first  select  a 
bookmark  using  selectBookmark,  then,  we  query  the  returned  bookmark.  The  qurey  result  is  placed  in  an  event  that 
will  eventually  trigger  the  callback  function  for  processing  the  query  result. 


E  =  (>k,  •  •  • ,  MBookmarks,  ■  ■  •)  \l/  =  \Ef/  : :  chrome. bookmarks. get(«,  idcb,  ids ) 

bookmarks  =  selectBookmark  (MBookmarks ,  k) 

result  =  bookmarkQuery  (bookmarks,  chrome. bookmarks. get,  ids) 

fresh(ide)  e  =  ( ide ,  idcb ,  none,  result,  k)  E'  =  ii'f'k  4=  \k'] 

nextStateC(i7,  chrome. bookmarks. get(/c,  idcb,ids ))  =  E'\  e 


BookmarkGet 


The  rules  BookmarkGetChildren,  BookmarkGetRecent,  BookmarkGetTree,  BookmarkGet- 
SubTree  and  BookmarkSearch  are  similar  to  BookmarkGet. 

BookmarkGetChildren:  Given  an  ID,  get  a  bookmark  item’s  children. 

E  =  (' k ,  •  •  • ,  MBookmarks,  ■  ■  •) 

T  =  T1'  ::  chrome. bookmarks. getChildren(«;,  idcb,  id) 
bookmarks  =  selectBookmark  (MBookmarks,  k) 

result  =  bookmarkQuery  (bookmarks ,  chrome. bookmarks. getChildren,  id) 

fresh(ide)  e  =  (ide,  idcb,  none,  result,  n)  E'  =  4=  ’k'] 

’ - - - - - - - - — - - - BookmarkGetChildren 

nextStateC(i7,  chrome. bookmarks. getChildrenfK,  idcb,  id))  =  E  ;  e 


BookmarkGetRecent:  Retrieves  the  recently  added  bookmarks.  Returns  at  most  number  bookmark  items. 
E  =  ('k,  •  •  • ,  MBookmarks,  ■  ■  ■) 

\k  =  \k7  ::  chrome. bookmarks. getRecent(«:,  idcb,  number) 
bookmarks  =  selectBookmark  (MBookmarks,  n) 

result  =  bookmarkQuery  (bookmarks ,  chrome,  bookmarks.  getRecent,  number ) 
fresh(ide)  e  =  (ide,  idcb,  none,  result,  k)  E'  =  li’f'k  4=  \k'] 

’ - — - - - BookmarkGetRecent 

nextStateC(i7,  chrome. bookmarks. getRecent(«:,  idcb,  number))  =  E  ;  e 


BookmarkGetTree:  Retrieves  the  entire  bookmarks  hierarchy. 


E  =  (\k,  •  •  • ,  MBookmarks,  ■  ■  ■)  \k  =  T,/  ::  chrome. bookmarks. getTree(ft,  idcb) 

bookmarks  =  se\ectBookmark(MBookmarks,  k) 

result  =  bookmarkQuery  (bookmarks ,  chrome,  bookmarks.  getTree) 

fresh(ide)  e  =  (ide,  idcb.  none,  result,  k)  E'  =  I7[\k  4=  'k'] 

' - - - - ; - - - BookmarkGetTree 

nextStateC(Z’,  chrome. bookmarks. getTreefrt,  idcb))  =  E  ;  e 


BookmarkGetSubTree:  Retrieves  the  subtrees  of  bookmark  node  with  ID  id. 
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E  =  ('I',  •  •  • ,  MBookmarks,  ■  ■  ■) 

=  '3//  ::  chrome. bookmarks. getSubTree(/-c,  idcb,  id) 
bookmarks  =  selectBookmark (MBookmarks,  n) 

result  =  bookmarkQuery  (bookmarks ,  chrome. bookmarks. getSubTree,  id) 

fresh(ide)  e  =  ( ide ,  idcb ,  none,  result ,  k)  E'  =  A’f'I'  4=  \E,/] 

' - - - - - - - - - - - BookmarkGetSubTree 

nextStateC(J7,  chrome. bookmarks. getSubTree(ft,  idcb,  id))  =  E  ;  e 

BookmarkSearch:  Searches  for  BookmarkTreeNodes  that  match  with  a  given  query. 


E  =  ('I',  •  •  • ,  MBookmarks,  •  •  •)  =  \E''  ::  chrome. bookmarks. search(ft,  idcb,  query) 

bookmarks  =  selectBookmark  (MBookmarks,  k) 

result  =  bookmarkQuery  (bookmarks ,  chrome. bookmarks. search,  query) 
fresh(ide)  e  =  (ide,  idcb ,  none,  result,  n)  E'  =  27[\I>  4=  \E,/] 

nextStateC(XI,  chrome. bookmarks. search(«;,  idcb,  query))  =  E1;  e 


BookmarkSearch 


Update  bookmarks  The  APIs  that  update  bookmarks  will  only  update  one  of  the  bookmark  trees  in  the  mulit-level 
bookmarks.  If  API  caller’s  simple  label  exactly  matches  one  bookmark  tree,  then  that  bookmark  tree  will  be  updated. 
Otherwise,  the  selectBookmark  will  be  called  to  select  the  closest  one  to  be  updated. 

BookmarkCreate(I):  Add  a  new  bookmark  item  under  a  directory  with  ID  idparent.  positionlndex  is 
the  new  item’s  position  index,  title  is  the  bookmark  item  title,  url  is  the  URL.  There  is  a  copy  of  MBook- 
mark  MBookmark  in  MBookmarks  with  the  same  label  as  the  caller’s  label.  In  this  case,  we  directly  update 
MBookmark.  If  MBookmark  does  not  contain  a  directory  with  ID  idparent,  we  set  result  as  void;  else,  result 
contains  (id parent',  positionlndex ,  title,  url). 


E  =  (rp,  •  •  • ,  MBookmarks,  ■  ■  •) 

T  =  \E,/  ::  chrome. bookmarks. create(«;,  idcb,  (id parent,  positionlndex ,  title,  url)) 

MBookmarks  =  MBookmarks  ::  (bookmarks ,  n) 

(bookmarks',  result)  =  bookmarkVJ r\te(bookmarks ,  chrome. bookmarks. create, 

(idparent’,  positionlndex,  title,  url)) 

fresh  (id  e) 

e  =  (id e,  idcb,  none,  result,  k)  MBookmarks  =  MBookmarks  ::  (bookmark  ,k) 

E’  =  £’['!'  -£=  ^'([MBookmarks  <=  MBookmarks'] 

- - - - - - - - - - —  BookmarkCreate(I) 

nextStateC(A,  chrome,  bookmarks.  create(ft,  idcb,  (idparent,  positionlndex,  title,  url)))  =  E  ;  e 

BookmarkCreate(2):  There  does  not  exist  a  MBookmark  with  label  k.  We  select  a  MBookmark  MBookmark s 
through  selectBookmark  (MBookmarks,  k),  and  then  generate  a  new  MBookmark  MBookmark's  from  MBookmarks 
by  replacing  its  label  with  n.  Then  we  add  a  new  bookmark  item  to  MBookmark's  .  The  result  of  the  write  operation 
will  be  returned  through  result. 
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£  =  (\k,  •  •  • ,  MBookmarks,  •  •  •) 

\k  =  \E,/  ::  chrome. bookmarks. create(«;,  idcb,  (idparent,  positionlndex ,  title,  url )) 
$MBookmark  £  MBookmarks  s.t.  labOf  (MBookmark)  =  k 
bookmarksi  =  selectBookmark (MBookmarks,  n) 

( bookmarks result)  =  bookmark\Nnte(bookmarksi,  chrome. bookmarks. create, 

(id parent i  positionlndex,  title,  url)) 

fresh(ide) 

e  =  ( ide ,  idcb,  none,  result,  k)  MBookmarks  =  MBookmarks  ::  (bookmarks1,  k) 

£'  =  I7[*k  4=  \k ’’([MBookmarks  4=  MBookmarks '] 
nextStateC(27,  chrome. bookmarks. create(ft,  idcb,  (id parent,  positionlndex ,  title,  url)))  =  £';  e 


BookmarkCreate(2) 


The  rules  BookmarkMove(I),  BookmarkUpdate(I),  BookmarkRemove(I),  BookmarkRemoveTree(I) 
are  similar  to  the  rule  BookmarkCreate(I). 

The  rules  BookmarkMove(2),  BookmarkUpdate(2),  BookmarkRemove(2),  BookmarkRemoveTree(2) 
are  similar  to  the  rule  BookmarkCreate(2). 


BookmarkMove:  Moves  the  specified  BookmarkTreeNode  to  the  provided  location. 


£  =  (\k,  •  •  • ,  MBookmarks,  ■  ■  ■) 

*k  =  \k'  ::  chrome. bookmarks. move(K,  idcb,  (id,  idparent,  positionlndex)) 

MBookmarks  =  MBookmarks "  ::  (bookmarks ,  n) 

(bookmarks' ,  result)  =  bookmarkWrite(6oofcmarfa,  chrome. bookmarks. move, 

(k,  idcb,  (Id,  idvarent, positionlndex))) 

fresh  (ide) 

e  =  (ide,  idcb,  none,  result,  n)  MBookmarks  =  MBookmarks  ::  (bookmark  ,  n) 

£'  =  27[’k  <=  ^’[[MBookmarks  4=  MBookmarks'] 

- - - - - - - — - - —  BookmarkMove!  1) 

nextStateC^Z1,  chrome. bookmarks. move(rc,  idcb ,  (id,  idparent,  positionlndex)))  =  £  ;  e 


£  =  (\k,  •  •  • ,  MBookmarks,  ■  ■  ■) 

\k  =  \k'  ::  chrome. bookmarks. move(rc,  idcb,  (id,  idparent,  positionlndex)) 
f^MBookmark  £  MBookmarks  s.t.  labOf  (MBookmark)  =  n 
bookmarksi  =  selectBookmark  (MBookmarks,  k) 

( bookmarks result)  =  bookmarkWrite(6oofcmarfai,  chrome. bookmarks. move, 

(k,  idcb,  (id,  idparent,  positionlndex))) 

fresh  (ide) 

e  =  (ide,  idcb,  none,  result,  k)  MBookmarks  =  MBookmarks  ::  (bookmarks1,  k) 

£'  =  27 [\k  <=  ^'[[MBookmarks  <=  MBookmarks'] 

- - - - - - - — - - —  BookmarkMove(2) 

nextStateC^,  chrome. bookmarks. move(rc,  idcb,  (id,  idparent,  positionlndex)))  =  £  ;  e 


BOOKMARKUPDATE:  Updates  the  properties  of  a  bookmark  or  folder.  Specify  only  the  properties  that  you  want 
to  change;  unspecified  properties  will  be  left  unchanged.  Note:  Currently,  only  ’title’  and  ’url’  are  supported. 
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£  =  ('I',  •  •  • ,  MBookmarks,  ■  ■  ■) 

\1/  =  \Ef/  ::  chrome. bookmarks. update(«,  idcb ,  (id,  title,  url)) 

MBookmarks  =  MBookmarks'1  ::  (bookmarks ,  k) 

(bookmarks' ,  result)  =  bookmarkW r\te(bookmarks ,  chrome. bookmarks. update, 

(k,  idcb,  (id,  title,  url))) 

fresh(ide) 

e  =  (id e,  idcb,  none,  result,  k)  MBookmarks  =  MBookmarks  v.  (bookmark  ,  n) 
S'  =  £\$!  <=  ’3/' ][MBookmarks  4=  MBookmarks  } 

nextStateC(i7,  chrome. bookmarks. update(«,  idcb,  (id,  title,  url)))  =  £']  e 


BookmarkUpdate(I) 


£  =  (*P,  •  •  • ,  MBookmarks,  ■  ■  ■) 

\P  =  IP'  ::  chrome. bookmarks. update(r«,  idcb,  (id,  title,  url)) 

$MBookmark  £  MBookmarks  s.t.  labOf  (MBookmark)  =  ti 
bookmarksi  =  selectBookmark (MBookmarks,  n) 

( bookmarks ),  result)  =  bookmarkWrite(&oofcraarfcsi,  chrome. bookmarks. update, 

(k,  idcb,  (id,  title,  url))) 

fresh(ide) 

e  =  (ide,  idcb,  none,  result,  k)  MBookmarks  =  MBookmarks  ::  (bookmarks1,  k) 
£'  =  I7['P  \1//]  [MBookmarks  4=  MBookmarks '] 

nextStateC(27,  chrome. bookmarks. update(«,  idcb ,  (id,  title,  url)))  =  £'•,  e 


BookmarkUpdate(2) 


The  chrome. bookmarks. remove  API  removes  a  bookmark  or  an  empty  bookmark  folder. 


£  =  (>P.  •  •  • ,  MBookmarks,  •  •  •)  \P  =  *P'  ::  chrome. bookmarks. remove(«;,  idcb,  id) 
MBookmarks  =  MBookmarks "  ::  (bookmarks ,  k) 

(bookmarks' ,  residt)  =  bookmarkWrite(6oofcmorfcs,  chrome. bookmarks. remove(ft,  idcb,  id)) 
fresh(ide) 

e  =  (ide,  idcb,  none,  result,  k)  MBookmarks  =  MBookmarks  ::  (bookmark  ,  n) 

£'  =  27[rp  rp' ][MBookmarks  4=  MBookmarks '] 

nextStateC(i7,  chrome. bookmarks. remove(K,  idcb,  id))  =  £';e 


B  OOKM  ARKREMOVE(  1 ) 


£  =  (*P,  •  •  • ,  MBookmarks,  ■  ■  ■)  \P  =  *P'  ::  chrome. bookmarks. remove(«;,  idcb,  id) 
$MBookmark  £  MBookmarks  s.t.  labOf  (MBookmark)  =  n 
bookmarksi  =  se\ectBookmark(MBookmarks ,  k) 

(bookmarks),  result)  =  bookmarkW Y\te(bookmarks\,  chrome. bookmarks. remove(«;,  idcb,  id)) 
fresh(ide) 

e  =  (ide,  idcb,  none,  result ,  k)  MBookmarks '  =  MBookmarks  ::  ( bookmarks ),  k) 

£'  =  I7['P  rp'] [MBookmarks  -4=  MBookmarks '] 

nextStateC(2?,  chrome. bookmarks. remove(ft,  idcb,  id))  =  £'",  e 


BookmarkRemove(2) 


The  chrome. bookmarks. removeTree  API  recursively  removes  a  bookmark  folder. 
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BookmarkRemoveTree(  1) 

E  =  (IP,  •  •  • ,  MBookmarks,  ■  ■  ■) 

$  =  IP'  ::  chrome. bookmarks. removeTree(K,  idcb,  id)  MBookmarks  =  MBookmarks11  ::  (bookmarks ,  k) 

(bookmarks' ,  result)  =  bookmarkW r\te(bookmarks ,  chrome. bookmarks. removeTree(«;,  idcb ,  id)) 
fresh(ide)  e  =  (ide,  idcb ,  none,  result,  k)  MBookmarks'  =  MBookmarks"  ::  (bookmark' ,  k) 

E'  =  E[\ 1/4=  \P'][ MBookmarks  4=  MBookmarks '} 

nextStateC(27,  chrome. bookmarks. removeTree(rt,  idcb ,  id))  =  E'\  e 


BookmarkRemoveTree(2) 

27  =  (>P,  •  •  • ,  MBookmarks,  •  •  •)  ^P  =  IP'  ::  chrome. bookmarks. removeTree(«;,  idcb,  id)) 

$MBookmark  £  MBookmarks  s.t.  labOf  (MBookmark)  =  n 
bookmarksi  =  selectBookmark (MBookmarks,  n) 

( bookmarks '±,  result)  =  bookmarkW r\te(bookmarksi,  chrome. bookmarks. removeTree(«;,  idcb,  id)) 
fresh(ide)  e  =  (ide,  idcb ,  none,  result,  k)  MBookmarks'  =  MBookmarks  ::  ( bookmarks n) 

E'  =  27  [\P  <=  ^'([MBookmarks  <=  MBookmarks '] 

nextStateC(27,  chrome. bookmarks. removeTree(/t,  idcb,  id))  =  E'\  e 

3.8.3  Rules  for  Accessing  Cookies 

The  cookies  can  be  set  by  server  through  the  HTTP  response  header.  In  each  web  request,  the  browser  sends  all 
the  cookies  in  the  same  domain  to  the  web  server,  no  matter  whether  the  cookies  were  set  by  the  server  or  client-site 
scripts.  The  httpOnly  cookies  cannot  be  accessed  by  client-side  scripts  including  page  scripts,  extensions  etc.  A  cookie 
for  domain  url  always  has  a  label  nc  =  labFrom(url)~ . 

CookieWebsiteSet(l):  An  web  site  updates  an  existing  cookie  item’s  value.  We  don’t  need  label  checking  here 

because  n  =  labFrom(url)~  and  labFrom(url)~  is  the  cookie’s  label. 


E  =  (>P,  •  •  • ,  Cookies,  ■  ■  •) 

vp  =  vp'  ::  website. cookieSet(ft,  idcb,  (name,  value,  url))  Cookie  £  Cookies 
Cookie  =  (name,  valuer ,  url,  k)  Cookie'  =  Cookie[value i  4=  value] 

Cookies'  =  Cookies[Cookie  <=  Cookie]  27'  =  27[r P  \P  '{[Cookies  <=  Cookies'] 

fresh(ide)  e  =  (ide,  idcb,  none,  info  (Cookie),  k) 

nextStateC(27,  website. cookieSet(/c,  idcb,  (name,  value,  url)))  =  E';  e 


CookieWebsiteSet(I) 


Cookie WebsiteSet(2):  An  web  site  sets  a  new  cookie  item. 


E  —  (rp,  •  •  • ,  Cookies,  ■  ■  ■)  \P  =  \Pr  ::  website. cookieSet(K,  idcb,  (name,  value,  url)) 
-flCookie  £  Cookies  s.t.  Cookie  =  (name,  ■,  url,  ■)  Cookie  =  (name,  value,  url,  k) 
Cookies'  =  Cookies  ::  Cookie  E'  =  27[>P  \P'][ Cookies  4=  Cookies'] 

fresh(ide)  e  =  (ide,  idcb,  none,  info(Cookie),  k) 

nextStateC(27,  website. cookieSet(K,  idcb,  (name,  value,  url)))  =  E'\  e 


CookieWebsiteSet(2) 
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CookieWebsiteGet(l):  In  each  HTTP  web  request  header,  the  cookies  that  belong  to  the  same  domain  are  attached. 
By  default,  labFrom(url)  C  k.  There  is  no  callback  function  for  “get  cookie”  commands  in  HTTP  headers.  Seems 
this  rule  is  useless. 

E  =  (T1,  •  •  • ,  Cookies ,  •  •  •)  =  T''  ::  website. cookieGet(/r,  url) 

Cookies  =  Cookies i  ::  Cookies2  V Cookie  £  Cookiesi,  Cookie  =  (_  ,  _  ,  url ,  _  ) 

$  Cookie  £  Cookies2  s.t.  Cookie  =  ,  url,  _  )  E'  =  Hi’T  4=  ’T'l  e  =  ■ 

- - - - - - - - - - - CookieWebsiteGet(I) 

nextStateC(27,  website. cookieGet(K,  url))  =  E  ;  e 

CookieScriptSet(l):  Asynchronous  version.  Successfully  reset  a  cookie. 


E  =  ('T.  •  •  • ,  Cookies ,  •  •  •) 

'T  =  \E,/  ::  domAPI.cookieSet(«;,  idcb,  (name,  value,  url))  Cookie  £  Cookies 
Cookie  =  (name,  valuei ,  url,  kc)  k  C  kc  Cookie  =  Cookie[valuei  4=  value] 
Cookies'  =  Cookies[Cookie  4=  Cookie  ]  E'  =  i7[W  4=  \E,/] [Cookies  4=  Cookies' [ 
fresh(ide)  e  =  (ide,  idcb,  none,  info(Cookie'),  kc) 

nextStateC(Z’,  domAPI.cookieSet(K,  idcb,  (name,  value,  url)))  =  Er;  e 


CookieScriptSet(I) 


CookieScriptSet(2):  The  label  checking  fails.  The  target  cookie  keeps  unchanged. 


E  =  ('P,  •  •  • ,  Cookies,  ■  ■  ■)  U/  =  H/7  ::  domAPI.cookieSet(«;,  idcb,  (name,  value,  url)) 
Cookie  £  Cookies  Cookie  =  (name,  value' ,  url,  kc)  k  %  nc  E'  =  4=  'T'] 

nextStateC(I7,  domAPI.cookieSet(K,  idcb,  (name,  value,  url)))  =  E'-,  ■ 


CookieScriptSet(2) 


CookieScriptSet(3):  A  script  creates  a  new  cookie  item. 


E  =  ('T.  •  •  • ,  Cookies,  •  •  •)  'T  =  '$>'  ::  domAPI.cookieSet(K,  idcb,  (name,  value,  url)) 

$Cookie  £  Cookies  s.t.  Cookie  =  (name,  _  ,  url,  _  ) 

kc  =  labFrom(url)  k  C  nc  Cookienew  =  (name,  value,  url,  kc) 

E'  =  17  [Hi  4=  H /[[Cookies  4=  Cookies  ::  Cookienew] 
fresh(ide)  e  =  (ide,  idcb,  none,  info(Cookienew),  kc) 

nextStateC(27,  domAPI.cookieSet(ft,  idcb,  (name,  value,  url)))  =  E' ;  e 


CookieScriptSet(3) 


CookieScriptSet(4):  A  script  fails  to  create  a  new  cookie  item. 


E  =  (HA  •  •  • ,  Cookies,  •  •  •)  \I/  =  'l/7  ::  domAPI.cookieSet(K,  idcb,  (name,  value,  url)) 

$Cookie  £  Cookies  s.t.  Cookie  =  (name,  _  ,  url,  _  ) 
kc  =  labFrom(url)  k  %  kc  E'  =  i7[Hi  4=  H/'] 

nextStateC(I7,  domAPI.cookieSet(ft,  idcb,  (name,  value,  url)))  =  E';  ■ 


CookieScriptSet(4) 
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CookieScriptGet(l)  Get  a  cookie. 


S  =  (\k,  •  •  • ,  Cookies,  •  •  •)  \k  =  \k'  ::  domAPI.cookieGet(«;,  idcb,  (name,  url )) 
Cookie  €  Cookies  Cookie  =  (name,  value,  url,  nc) 

kc  E  k  S'  =  17  [\k  <=  fresh(ide)  e  =  (ide,  idcb,  none,  Cookie,  k) 

nextStateC(I7,  domAPI.cookieGet(K,  idcb,  (name,  url)))  =  S'-,  e 


CookieScriptGet(I) 


CookieScriptGet(2)  Fail  to  get  a  cookie  as  the  target  cookie  does  not  exist. 


S  =  (\k,  •  •  • ,  Cookies,  •  •  •)  \k  =  \k'  ::  domAPI.cookieGet(«;,  idcb,  (name,  url)) 
$  Cookie  £  Cookies  s.t.  Cookie  =  (name,  _  ,  url,  _  )  \k'] 

nextStateC(JP,  domAPI.cookieGet(«;,  idcb,  (name,  url)))  =  S'-,  ■ 


CookieScriptGet(2) 


CookieScriptGet(3)  Fail  to  get  a  cookie  due  to  the  label  checking. 


S  =  ('I',  •  •  • ,  Cookies,  ■  ■  ■)  \k  =  \k'  ::  domAPI.cookieGet(/c,  idcb,  (name,  url)) 

Cookie  £  Cookies  Cookie  =  (name,  value,  url,  nc)  S'  =  i7[\k  4=  'k'] 

nextStateC(JP,  domAPI.cookieGet(A,  idcb,  (name,  url)))  =  S'-,  ■ 


CookieScriptGet(3) 


CookieCoreGet  Extension  core  gets  a  cookie  by  (url,  name,  storelD).  The  browser  return  the  cookie.  Similar  to 
cookieScriptGet  rules. 

CookieCoreSet  Extension  core  set  cookie  with  url,  name.  The  rules  are  similar  to  COOKIES CRIPTSet  rules. 

CookieCoreGetAU  Extension  core  gets  a  cookie  with  the  parameters.  The  browser  return  the  cookie,  taint  the  label 
the  extension  core  with  the  label  of  the  cookies. 


S  =  ('k,  •  •  • ,  Cookies,  ■  ■  ■)  \k  =  \k'  ::  chrome. cookies. getAII(«;,  idcb,  filter) 
V Cookie  £  Cookies,  Cookie  =  kc) 

if  matchFilter(Coofc*e,  filter)  =  true  A  kc  C  k 
Add  Cookie  to  Cookies  results 

S'  =  17  [\k  <=  'k']  fresh(ide)  e  =  (ide,  idcb ,  none,  Cookiesresuits,  k) 

nextStateC(I7,  chrome. cookies. getAII(K,  id cb ,  filter)))  =  S';  e 


GookieCoreGetAll 


CookieCoreRemove(l)  Extension  core  removes  a  cookie  with  name  and  url.  The  callback  function  can  access  the 
removed  cookie. 


S  =  (rk.  •  •  • ,  Cookies,  •  •  •)  \k  =  tk7  ::  chrome. cookies. remove^,  idcb,  (name,  url)) 

Cookies  =  Cookies'  ::  Cookie 

Cookie  =  (name,  _  ,  url,  kc)  k  C  kc  S'  =  27[\k  •<=  \kr] [ Cookies  <=  Cookies'] 
fresh(ide)  e  =  (ide,  idcb,  none,  Cookie,  kc) 

' - - - - - - - — - - - CookieCoreRemove(I) 

nextStateC(27,  chrome. cookies. remove^,  idcb,  (name,  url)))  =  S  ;  e 
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CookieCoreRemove(2)  The  target  cookie  does  not  exist. 


27  =  ('I'.  •  •  • ,  Cookies,  •  •  •)  \k  =  \k7  ::  chrome. cookies. remove^,  idcb,  (name,  url )) 

$Cookie  £  Cookies  s.t.  Cookie  =  (name,  _  ,  url,  _  )  27'  =  27  [\k  ■$=  \k,l 

- - - - - - - - - — - - - CookieCoreRemove(2) 

nextStateC(27,  chrome. cookies. remove^,  idcb ,  (name,  url)))  =  E  ;  • 

CookieCoreRemove(3)  Extension  core  fails  to  remove  a  cookie  with  name  and  url  due  to  the  label  checking. 

E  =  (>k,  •  •  • ,  Cookies,  ■  ■  ■)  \k  =  \k'  ::  chrome. cookies. remove^,  idcb,  (name,  url)) 

Cookies  =  Cookies'  ::  Cookie 

Cookie  =  (name,  _  ,  url,  kc)  k\£  kc  E'  =  27  Kk  4=  \k,l 

- - - - - - - - - CookieCoreRemove(3) 

nextStateC(27,  chrome. cookies. remove(rc,  idcb,  (name,  url)))  =  27  ;  • 

3.8.4  Rules  for  Accessing  History 

historySearch  Searches  the  history  for  the  last  visit  time  of  each  page  matching  the  query. 

27  =  ('k.  •  •  • ,  histories,  •  ■  •) 

\k  =  \l//  ::  chrome. history. search(/-c,  idcb,  query)  histories  =  historiesi  ::  histories 2 

Whistory  £  historiesi,  histoj'y  =  (id,  url,  name,  visitTime ,  visitType,  Kh) 
matchQuery (history,  query)  =  true 
Kh  E  K 

jlhistory'  £  histories,  history'  =  (id' ,  url,  name,  visitTime  ,  visitType' ,  n'h),  history'  ^  history 
s.t.  visitTime'  is  later  than  visitTime  A  Kh  C  k 
Whistory  £  histories2 ,  history  =  (id,  url,  name,  visitTime,  visitType,  Kh) 
matchQuery  (history,  query)  =  true 
Kh  E  k 

Bhistory'  £  historiesi,  history'  =  (id' ,  url,  name,  visitTime' ,  visitType  ,  K'h), 
s.t.  visitTime'  is  later  than  visitTime  A  n'h  C  k 
E'  =  27 [\k  4=  \k']  fresh(ide)  e  =  (ide,  idcb,  none,  historiesi,  k) 

- — - - - - - — - - - historySear< 

nextStateC(27,  chrome. history. search(«;,  idcb,  query))  =  27  ;  e 

If  the  user  visit  a  page  for  n  times,  the  browser  will  generate  n  history  items  with  the  same  url  and  name.  For  each 
page,  we  put  its  latest  history  item  into  historiesi,  the  rests  are  in  histories 2.  Line  3-7  say  that  any  item  in  historiesi 
is  fresher  than  any  other  record  for  the  same  page.  Line 

Line  8-12  are  to  ensure  that  histories  1  contains  all  pages’s  latest  history  record  items. 


historyGetVisits:  Retrieves  information  about  visits  to  a  URL. 


27  =  (\k,  •  •  • ,  histories,  •  ■  •) 

\k  =  \k/  : :  chrome. history. getVisits(ft,  idcb,  url)  histories  =  historiesi  histories2 
V history  £  historiesi 

history  =  (_  ,  url,  Kh) 

Kh  E  k 

jlhistory  £  histories2,  s.t.  history  =  (_  ,  url,  Kh)  A  Kh  E  k 

E'  =  27 [\k  4=  \k  ]  fresh(ide)  e  =  (ide,  idcb ,  none,  historiesi,  k) 

nextStateC(27,  chrome. history. getVisits(rc,  idcb,  url))  =  27';  e 


historyGetVisits 
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historyAddUrl:  Adds  a  URL  to  the  history  at  the  current  time. 


£  =  (\tr,  •  •  • ,  histories,  ■  ■  ■) 

\k  =  \k'  ::  chrome. history. addUrl(«,  idcb,  (name,  url,  visitTime,  visitType )) 
histories'  =  histories  ::  history 

fresh(id)  history  =  (id,  url,  name,  visitTime,  visitType,  n) 

£'  =  i7[\k  <=  \k'] [histories  <=  histories' ]  fresh(ide)  e  =  (ide,  idcb ,  none,  history,  k) 
nextStateC(I7,  chrome. history. addllrl(/t,  idcb,  (name,  url,  visitTime,  visitType )))  =  £'■,  e 


historyAddUrl 


historyDeleteUrl:  Removes  all  occurrences  of  the  given  URL  from  the  history.  We  delete  all  the  matching  items 
which  has  a  label  higher  than  k.  In  the  callback  event,  we  return  void  instead  of  the  deleted  high  history  items. 


£  =  ('k,  •  •  • ,  histories,  ■  ■  •) 

\k  =  \E,/  ::  chrome. history. deleteUrl(K,  idcb,  url)  histories  =  historiesi  ::  histories2 
V history  £  historiesi 

history  =  (_  ,  url,  Kh) 

k  E  nh 

^history  £  historieS2,  s.t.  history  =  (_  ,  url,  Kh)  A  kCkj 

£'  =  £\%>  <=  ^'([histories  <=  histories2\ 
fresh(ide)  e  =  (ide,  idcb,  none,  void,  k) 

nextStateC(i7,  chrome. history. deleteUrl(K,  idcb,  url))  =  £'\e 


historyDeleteUrl 


3.9  Asynchronous  APIs  Calls 

Asynchronous  calls  are  encoded  using  nextStateC  function. 


3.9.1  Web  Request  API  Calls 


£  =  (ik,  •  •  •)  \k  =  Vk'  : :  webRequestGet(K,  idcb,  info ,  url) 
fresh(ide)  e  =  (ide,  webRequest.onBeforeRequest,  none,  info,  k) 
if'  =  ws.beforeRequest(K,  idcb, -,  ide,  info,  url)  £'  =  A7[\k  4=  \k'  ::  ip\ 
nextStateC(i7,  webRequestGet(«,  idcb,  info,  url))  =  £' ;  e 


WebRequestGet 


3.9.2  Messaging 

The  sending  message  APIs  are  asynchronous.  The  argument  of  the  callback  function  is  the  response  from  the  recipient 
of  the  message.  Therefore,  the  browser  needs  to  keep  track  of  pairs  of  sending  and  receiving  event  handlers.  The  return 
fields  of  events  and  event  handlers  are  used  for  this  purpose.  The  return  field  in  an  event  indicates  that  the  browser’s 
state  should  change  once  the  event  handler  that  processes  this  event  finishes.  Rules  Return-Core,  Return-CS, 
Return-Page  generate  such  a  browser  state. 

Messaging  asynchronous  API  call  example  In  general  asynchronous  API  calls,  the  trigged  events  do  not  contain 
return  channels.  However,  the  events  triggered  by  messaging  asynchronous  API  calls  might  contain  return  chan¬ 
nels.  Here  is  an  example,  suppose  a  content  script  wants  to  send  a  message  to  an  extension  core,  it  calls  the  API 
chrome. runtime. sendMessage  through  FireAPICall-A-CS  with  a  callback  function  to  address  the  core’s  reply.  The 
browser  generates  a  state  chrome. runtime. send  Message^,  idcb,  (id,  idext ,  message)),  where  n  and  id  are  the  con¬ 
tent  script’s  simple  label  and  ID  respectively,  idcb  is  the  callback  handler’s  event  type,  id ext  is  the  target  extension’s 
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ID,  and  message  is  the  message.  In  CSToCoreI,  the  chrome,  runtime,  send  Message^,  idcb,  ( id ,  idext,  message)) 
state  is  processed  by  issuing  an  event 

e  =  ( ide ,  chrome. runtime. onMessage,  some(chrome. runtime. sendMessage,  idcb),  (id,  idext,  message),  k).  Then 
the  state  chrome,  runtime,  send  Message^,  idcb,  (id,  idext,  message))  is  replaced  with  the 

chrome. runtime. sendMessage. waitResponse(ft,  idcb)  state  which  indicates  there  is  content  script  waiting  for  a  reply 
to  be  handled  by  an  event  handler  with  event  type  idcb .  The  event  e  contains  a  return  channel: 

some(chrome. runtime. sendMessage,  idcb).  With  EVENTFIRE2,  the  event  e  is  added  to  all  the  chrome. runtime. onMessage 
handlers  in  the  target  extension  core.  Each  handler  may  return  a  reply  to  the  content  script.  However,  only  the  first 
reply  will  be  accepted  by  the  browser  and  then  be  passed  to  the  content  script.  When  a  response  is  sent  by  the  core 
(as  modeled  by  Return-Core),  a  new  state  chrome. runtime. sendMessage. ResponseGenerated(/c,  idcb,  response) 
is  generated  and  added  into  the  browser.  Now  there  are  two  states  related  to  the  chrome. runtime. sendMessage  API 
call,  namely  chrome. runtime. sendMessage. waitResponse(/c,  idcb) 

and  chrome. runtime. sendMessage. ResponseGenerated(rc,  idcb,  response).  Then  the  browser  knows  a  response  has 
been  sent  by  the  target  extension  core,  the  internal  transition  rule  CSToCore2  is  applied,  and  a  callback  event 
e  =  (ide,  idcb,  none,  response,  k)  is  issued.  The  callback  events  carries  the  core’s  response.  Finally,  the  content 
script’s  callback  handler  receives  the  callback  event  and  gets  the  core’s  response. 

CSToCore  Content  script  sends  a  message  to  extension  core,  it  may  also  have  a  callback  function  to  deal  with  the 
core’s  response,  id  is  the  message  sender’s  ID. 

£  =  (*.•■■) 

=  H/'  ::  chrome. runtime. send  Message^,  idcb,  (id,  idext,  message))  fresh(ide) 
e  =  (ide,  chrome. runtime. onMessage,  some(chrome. runtime. sendMessage,  idcb),  (id,  idext,  message),  k) 

ip'  =  chrome. runtime. sendMessage. waitResponse(/r,  idcb)  ip'  e  S'  =  27  [\P  •<=  T,/  ::  ip] 

- - - — — - - - CSToCoreI 

nextStateC(27,  chrome,  runtime,  send  Message^,  idcb,  (id,  idext,  message)))  —  27  ;  e 


After  the  receiving  the  response,  the  state  regarding  the  messaging  will  be  removed,  and  a  callback  event  will  be 
issued. 


: :  chrome. runtime. sendMessage. waitResponse(rc,  idcb) 

::  chrome. runtime. sendMessage. ResponseGenerated(ft,  idcb,  response) 

fresh(ide)  e  =  (ide,  idcb .  none,  response,  k)  £'  =  271'T  4=  'k'l 

- — - - - - - - - - - - — - - - - —  CSToCore2 

nextStateC(27,  chrome. runtime. sendMessage. ResponseGenerated(rc,  idcb,  response))  =  27  ;  e 

CoreToCS:  The  rules  are  for  one-time  messaging  from  core  to  content  scripts. In  CoreToCSI,  when  a  message 
event  is  sent  from  core,  the  state  is  changed  to  “waitResponse”.  The  same,  there  is  no  callback  event  triggered  in  this 
rule,  id  i  is  the  specific  and  unique  event  type  for  the  callback  event. 


£  =  (*>••■) 

=  H/'  ::  chrome,  tabs,  send  Message^,  idcb,  (idext,  idt,  message))  fresh(ide) 

e  =  (ide,  chrome. runtime. onMessage,  some(chrome. tabs. sendMessage,  idcb),  (idext,  idt,  message),  «) 
ip'  =  chrome. tabs. sendMessage(ft,  idcb,  ( idext ,  idt,  message)). WaitResponse 

iP'  ~nb  e  27'  =  27[T>  <=  ::  t//] _ 

nextStateC(27,  chrome. tabs. sendMessage(/r,  idcb,  ( idext ,  idt,  message)))  =  27';  e 


CoreToCSI 
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In  CoreToCS2,  the  content  script  event  handlers  for  the  chrome. runtime. onMessage  event  have  return  a  re- 
sponse(or  none).  And  upon  getting  the  response,  the  browser  change  the  state  to  “responseGenerated". 

2  =  (*,-■■) 

U/  =  rp'  ::  chrome. tabs. sendMessage.waitResponse)^,  idcb ) 

::  chrome. tabs. sendMessage.ResponseGenerated(«;,  idcb ,  response) 

fresh(ide)  e  =  ( ide ,  idcb,  none,  response,  n)  E'  =  A7 [\&  4=  rp'l 

- — - ; - - - - - — - - —  CoreToCS2 

nextStateC(27,  chrome. tabs. sendMessage.ResponseGenerated(«,  id cb,  response))  =  E  ;  e 

3.9.3  Chrome  Tabs  APIs 

Create  a  new  blank  tabs  When  a  user  or  an  extension  creates  a  new  blank  tab,  a  new  tab  t  with  fresh  ID  idt  is  added 
to  system  state  S.  The  tab  creation  triggers  an  event  e.  The  parameters  of  chrome. tabs. create  include  windowld, 
index(optional  integer),  url,  active(optional  boolean),  pinned  (optional  boolean),  openerTabldfoptional  integer).  The 
extensions  create  a  new  tab  explicitly  through  chrome. tabs. create  API.  And  we  assume  that,  when  receiving  a  user’s 
command,  the  handler  UI  also  generates  code  chrome. tabs. create.  idw  is  window  ID. 


E  =  (rp,  Tabs,  Exts  ::  Ext,  ExtCoreRs ,  ■  •  •) 

'k  =  \E,/  ::  chrome. tabs. create(ft,  idcb,  ( idw,  positionlndex ,-,  activeFlag ,  pinnedBoolean)) 
fresh(idt,  idel,  ide2)  t  =  ( idt , ,  •,  EmptyUrl,  •,  k 
e\  =  (idei,  tabs.onCreated,  none,  (idt,  positionlndex,  idw,  ■,  EmptyUrl),  n) 
e2  =  (ide 2,  ldcb,  none,  getlnfo(f),  k) 

- - — - - - - - —  NewBlankTa 

nextStateC(X',  chrome. tabs. create(«,  idcb,  (id w ,  positionlndex ,  ■,  activeFlag ,  pinnedBoolean,  (t))) 

=  A7 [\P  '3// ][Tabs  <=  Tabs  ::  t],e i  ::  ei 

When  a  new  blank  tab  is  created,  we  set  the  tab  label  the  same  as  the  creator’s  label.  Here  n  is  the  label  of  the 
principal  that  wants  to  create  the  tab.  is  the  label  that  the  creator  wants  the  tab  to  have.  Based  on  API  rules,  it 
should  be  the  case  that  k  =>■  Kt-  If  the  creator  is  a  user,  by  default,  all  extensions  are  allowed  to  access  it.  If  the  creator 
is  an  extension,  by  default,  other  extensions  can  not  access  it.  id  could  be  an  extension  ID  or  a  user  ID.  The  command 
can  either  be  in  extension  context  or  user  context.  If  the  command  comes  from  user  context,  id  should  be  user,  and 
the  callback  function  cmd  is  set  to  •. 

Update  a  tab’s  url  We  need  to  taint  the  label  of  the  tab  to  prevent  the  case  where  the  tab  goes  from  H  to  L.  If  we 
overwrite  the  tab’s  label,  then  the  low  execution  may  not  be  able  to  update  the  url. 


E  =  (rp,  Tabs  ::  t,  ■  ■  •) 

t  =  (idt,  ■ ,  £tnh )  'P  =  4r'  ::  chrome. tabs. update^,  idcb ,  (idt,  url,  ■  ■  ■))  k  %  £fnh* 

- -  - - - — — - - - . - — —  URLUpdateI 

nextStateC(X',  chrome. tabs. u  pdate(rt,  idcb,  (idt,  url,  ■  ■  ■)))  =  <t=  \D  ],  • 


E  =  (d>,  Tabs  ::  £,---)  t  =  (idt,  ■  ■  ■ ,  (-tab) 

d/  =  d/'  ::  chrome. tabs. update(r«,  idcb,  (idt,  url,  •  •  •))  k  Q  (tab* 

l\  =  k  >tnt  ( tab  V’/  =  readyToFetchDoc(ft,  idt,-,  url)  t'  =  t[(tab  (i\ 

Tabs'  =  Tabs[t  <=  t']  E  =  E[Tabs  <=  Tabs']['&  <=  ’T'  ::  ip']  fresh(id\,  id-2) 
e\  =  (id\,  tabs,  on  Updated,  none,  (idt,  infoi),  (\~)  e2  =  (id2,  idcb ,  none,  getlnfo(t'),  (\~) 
nextStateC(£',  chrome. tabs. update(tc,  idcb ,  (idt,  url,  ■  ■  ■)))  =  E';  e\  ::  e2 


URLUpdate2 
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Create  a  blank  tab  with  url:  Here,  we  allow  the  new  tab  to  float  to  top  secret. 


fresh(idt,  idd ,  ide i,  ide 2)  E  =  ('k,  Tabs ,  •  •  •) 

\&  =  5''  ::  chrome. tabs. create(K,  idcb ,  (idw,  positionlndex,  url,  activeFlag ,  pinnedBoolean,  idparentTab )) 
t  =  ( idt ,  -,  url,  kF^) 

ip'  =  readyToFetchDo c(n,idt,-,-,url)  E'  =  i7[\I>  <4=  ’3/'  ::  tp][Tabs  <=  Tabs  ::  t] 

£  =  (zdel,tabs.onCreated,  none,  info1,n)  ::  (ide 2,  idcb,  none,  getlnfo(f),  k) 
nextStateC(i7,  chrome. tabs. create^,,  idcb,  (id w,  positionlndex,  url,  activeFlag ,  pinnedBoolean,  idparentTab )))  =  E' ,  £ 

3.9.4  Script  Injection 

When  a  content  script  from  an  extension  is  ready  to  be  injected,  a  new  label  for  the  runtime  copy  of  the  script  is 
computed  from  the  label  associated  with  the  state  that  the  script  is  ready  to  be  inject  (k)  and  the  policy  of  the  extension 
(extPolicy(idext)).  The  label  computation  function  essentially  taints  the  policy  label  with  k  (kWm  extPolicy(idext )). 


E  =  (\1/,  Tabs  ::  t,  ■  ■  ■ ,  proglnjCSs,  ■  ■  •) 

\I/  =  \E,/  : :  chrome. tabs. executeScript(K,  idt,  idext ,  ( cmd ,  EventHandlers) ,  index,  runat,  _  ) 
t  =  (idt,  Docs  ::  Doc,  url,  _  ,£t)  fresh(idcs)  £  =  computeLabel(n,  extPolicy(idext)) 

ExtCSnew  =  (idext,  idcs,  idt,  cmd,  EventHandlers ,  ■,  runat,  index,  £) 

E'  =  E[progInjCSs  <=  proglnjCSs  ::  ExtCS new\  <=  \E,/] 
nextStateC(i7,  chrome. tabs. executeScript(/r,  idt,  idext ,  (cmd,  EventHandlers) ,  index,  runat,  _  ))  =  E’;  0 

3.9.5  Managing  Extensions 

Enable  an  extension  An  extension  can  enable,  disable  another  extcnsion/appiinc hiding  itself),  and  uninstall  an 
extension/ APP,  but  it  cannot  install  other  extensions  or  apps.  Here,  the  id  in  the  browserstate  is  the  unique  id  matching 
the  callback  function.  A  call  to  enable  an  extension  is  discarded  if  the  extension  is  already  active. 


E  =  (T1,  Tabs,  Exts  ::  Ext,  ExtCoreRs,  ■  ■  •) 

T'  =  \E,/  ::  chrome. management. setEnabled(«;,  idcb,  (string,  id,  idext,  activeFlag)) 

Ext  =  (idext,  ExtCore,  ■  ■  ■ ,  activeFlag' ,  £\) 

- - - - — - — - - - - —  EnableDisableExtI(a) 

nextStateC(i7,  chrome. management. setEnabledjrt,  idcb,  (string,  id,  idext,  activeFlag)))  =  E  \1/  -4=  T  j,  • 


E  =  ('T,  Tabs,  Exts  ::  Ext,  ExtCoreRs,  ■  ■  •) 

T'  =  *3//  ::  chrome. management. setEnabled(rc,  idcb,  (string,  id,  idext,  activeFlag)) 

Ext  =  (idext,  ExtCore,  •  •  • ,  activeFlag ,  l\)  n  C  t\ 

£2  =  k  >tnt  £1  fresh(ide)  ei  =  (ide,  idcb,  none,  getlnfo(2?xf), ^2”) 
nextStateC(i7,  chrome. management. setEnabled(«;,  idcb,  (string,  id,  idext,  activeFlag)))  =  A7 [\H  -4=  '3//] ,  e\ 


EnableDisableExt  1  (B) 
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£  =  ('I'.  Tabs,  Exts  ::  Ext,  ExtCoreRs,  •  •  •) 

\l/  =  >3//  ::  chrome. management. setEnabled(re,  idcb,  ( string ,  id,  idext,  active)) 

Ext  =  (idext,  ExtCore,  ■  ■  ■ ,  activeFlag ,  £\) 
k  C  £\*  activeFlag  =  inactive  £2  =  k  \>tnt  £ 1 

ExtCoreR  =  (id ext,  ExtCore,  £2)  Ext'  =  Ext[activeFlag  4=  active][fi  4=  £2] 

£'  =  £[Ext  4=  Ext'][ExtCoreRs  ExtCoreRs  ::  ExtCoreR])' V  4=  \Ef/] 
fresh(idei,ide  2)  e\  =  (idei,idcb,r\one,get\nfo(Ext'),£2~) 

e-2  =  (ide2i  management. onEnabled,  none,  getlnfo)^^'),  £2~) 

- - - - - - - - - enableExt2 

nextStateC(I7,  chrome. management. setEnabled(K,  idcb,  (string,  id,  idext,  active)))  =  £  ,  e\  ::  e2 

Disable  an  extension 

£  =  (\&,  Tabs,  Exts  ::  Ext,  ExtCoreRs,  ■  •  •) 

\1/  =  : :  chrome. management. setEnabled(«;,  idcb,  (string,  id,  idext,  inactive)) 

Ext  =  (idext,  ExtCore,  ■  ■  ■ ,  activeFlag ,  £\) 

k  C  £1*  activeFlag  =  active  £2  =  k  \>tnt  £1  ExtCoreRs  =  ExtCoreRs '  ::  ExtCoreR 
ExtCoreR  =  ( idext ,  •  •  •)  Ext  =  Ext[activeFlag  4=  inactive]^  4=  £2} 

£'  =  £[Ext  4=  Ext'][ExtCoreRs  -4=  ExtCoreRs ,][\&  4=  4''] 
fresh(idei,  ide2)  ei  =  (idei,  idcb,  none,  get  Info  (.Erf7),  t2~) 
e2  =  (ide2)  management. onDisabled,  none,  get  Info  (Erf7), f2_) 

— - - — - - - — - — - - - disableExt2 

nextStateC(27,  chrome. management. setEnabled(ft,  idcb,  (string,  id,  idext,  inactive)))  =  £  ,e\  ::  e2 

The  target  extension  does  not  exist. 

EnableDisableExt3 

£  =  (’k,  Tabs,  Exts,  ExtCoreRs ,  ■  ■  •) 

\k  =  \i//  ::  chrome. management. setEnabled(/t,  idcb,  (string,  id,  idext,  activeFlag )) 
jBExt  €  Exts  Ext  =  (idext,  ■  ■  ■) 

nextStateC(27,  chrome. management. setEnabled(K,  idcb,  (string,  id,  idext,  activeFlag)))  =  4=  \k,]}  • 

4  Noninterference 

In  this  section,  we  introduce  formal  definitions  of  noninterference  and  state  the  main  noninterference  theorem. 

4.1  Projections 

We  first  define  operations  that  remove  elements  from  the  state  that  an  attacker  cannot  observe.  We  define  the  projection 
of  relevant  constructs  given  a  simple  label:  x  The  purpose  of  the  projection  is  to  remove  information  that  cannot 
be  read  by  the  attacker  (of  label  n)  from  various  constructs. 

We  define  a  function  lab  Of  (x)  to  be  the  outmost  label  of  the  construct  x. 

Projection  of  actions: 


£~  c  k 

API(£S,---)U=  API(£S,  ■  ■  ■) 


API1 


£s  %  K 

API(£b,---)U= ■ 


API2 
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Projection  of  events: 


lab  Of  (e)  C  k 

- - - event  1 

e  ^ 


lab  Of  (e)  %  k 

- - -  EVENT2 

^  4-k;  — 


Projection  of  document  scripts: 


DocCS  =  (idext,  idcs,  idt,  F,  cmd,  EventHandlers,  £)  £  C  k 

DocCS  4,k=  ( idext ,  idcs ,  zdt,F,  cmd,  EventHandlers  fK,£) 


DS1 


labOf  (DocCS)-  %  k 
DocCS  • 


DS2 


Projection  of  content  scripts: 

labOf  (ExtCS)  C  k 
ExtCS  ExtCS 


labOf  {ExtCSy  %  k 
ExtCS  \.K=  ■ 


CS2 


Projection  of  handlers 

EventHandler  =  (id,  eventType ,  x.cmd,  eventQueue,  cmd,  ide,  BlockingFlag,  return) 
EventHandler  j,re=  (id,  eventType,  x.cmd,  eventQueue  4-K,  cmd,  ide,  BlockingFlag,  return) 

Projection  of  runtime  extension  cores: 

ExtCoreR  =  (id ext,{C,  cmd,  EventHandlers),  £)  £~  Q  k  labOf  (ExtCoreR) 

- - - - - - - extCoreI  - 

ExtCoreR  j,re=  ( idext ,  (r,  cmd,  EventHandlers  j.K),  £)  ExtCoreR  j.K=  • 


Projection  of  storage  : 


labOf  (Storage)  C  k 

- - - storage  1 

Storage  j.K=  Storage 


labOf  (Storage)  %  k 

- - -  STORAGE2 

Storage  \.K=  ■ 


Projection  of  extensions: 


Ext  =  (idext,  ExtCore,  ExtCSs,  Storage,  activeFlag ,  £)  £  C  n 

Ext  \.K=  (idext,  ExtCore,  ExtCSs  fK,  Storage  j,re,  activeFlag ,  £) 


Ext  =  (idext,  ExtCore,  ExtCSs,  Storage,  activeFlag ,  l)  £  %  k 

Ext  fK=  void,  ExtCSs  Storage  void,  void) 


ext2 


EH 


EXTCORE2 
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Projection  of  a  document  node 


node  (•  •  *  ?  ^ childrens  -  ?  ^ succi  *)>  nodes ,  content, 

if  t~  C  k  then  c  =  content,  l  =  t  else  c  =  l  =  void 


if  ^ 


□  ft  then  r  =  cnt  else  c  =  brk 


children  E  ^  nodes  -]'/•£ —  N ,  A 


if  \ 


SUCC  — 


node  iK=  (id,  attributes  N,  c,  l),  A,  r 

node  =  (id,  (•  •  • ,  l children,  -  ,4ucc,  •)>  no^es>  content,  t) 
if  t~  C  k  then  c  =  content,  l  =  £  else  c  =  l  =  void 
C  k  then  r  =  cnt  else  c  =  brk 


NODEl 


^  children 


%  k  nodes  \.K=  N,  A 


node  \.K=  (id,  attributes  fK,  void,  c,  l),  (N,  A),  r 

node  fK=  node  ,  A,  cnt  nodes  fK=  TV  ::  iV’/ ,  A' 


NODE2 


'I'K — 


NODES  1 


node  ::  nodes  4-re=  (node  ::  N )  ::  TV',  (A,  A') 
node  fK=  node  ,  A,  brk  nodes  J,re=  TV,  A' 


NODES2 


node  ::  nodes  J,K=  [node]  ::  TV,  (A,  A') 


NODES3 


Projection  of  a  document  page 

Doc  =  (idd,  url,  nodes,  DocCSs,  l)  £~  C  k 
Doc  J,K=  (idd,  url,  nodes  j,re,  DocCSs  fK,£) 


Doc  =  (idd,  url,  nodes,  DocCSs,  £)  £ 

DOC  1  - - - -  DOC2 

Doc  J,K=  (idd,  void,  nodes  \.K,  DocCSs  fK,  void) 


Pruning  page  event  handlers  based  on  the  result  of  document  projection 

EventHandler  =  (id,  •  •  •)  id  G  Docs 
prun e(EventHandler,  Docs)  =  EventHandler 

EventHandler  =  (id,  •  •  •)  id  ^  Docs 


pageHandlerI 


prun  ^(EventHandler,  Docs)  = 


PAGEHANDLER2 


Projection  of  browser  states: 

lab  Of  (ip)  C  k 

- - - browserStateI 

Ip  Ik=  Ip 


labOf(ip )  %  k 

- - -  BROWSERSTATE2 

Ip  Ik=  ’ 


Projection  of  tabs: 


Tab  =  (idt,  Docs,  url,  EventHandlers ,  £) 

£~  C  k  Docs'  =  Docs  EventHandlers 1  =  prun  ^(EventHandlers  Docs') 

Tab  lK=  (idt,  Docs' ,  url,  EventHandlers' ,£) 


Tab  =  (idt,  Docs,  url,  EventHandlers ,  £) 

£~  %  k  Docs'  =  Docs  Docs'  ^  •  EventHandlers '  =  prun  ^(EventHandlers  Docs') 

Tab  J,K=  (idt,  Docs' ,  void,  EventHandlers  ,  void) 


Tab  =  (idt,  Docs,  url,  EventHandlers ,  t)  £  %  k 

Tab  4_k=  • 


Docs  • 


Tab  3 
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Projection  of  MBookmarks: 


labOf  (MBookmark)  C  k 
MBookmark  J.K=  MBookmark 


MBookmarkI 


Projection  of  cookies: 


labOf  (Cookie)  C  n 

- - - COOKIEl 

Cookie  iK=  Cookie 


Projection  of  histories: 


labOf  (history)  C  k 

- history  1 

history  history 


labOf  (MBookmark)  %  k 

- - - MBookmark2 

MBookmark  ■ 


labOf  (Cookie)  %  k 
Cookie  lK=  ■ 


COOKIE2 


labOf  (history)  %  k 

- - - HISTORY2 

history  ■ 


4.2  Less  than  relation 

Here,  we  define  a  binary  relation  that  compares  entities  in  two  states.  At  a  high-level.  Si  and  S2  are  in  this  relation  if 
Si  and  S-2  agrees  on  all  the  elements  that  an  attacker  can  observe  in  Si. 

Less  than  Given  two  lists  L 1  and  L2,  we  say  L 1  is  a  sub-list  of  L2,  written  L 1  <  L2  if  Vi  £  Li,  3  j  £  L2  and  i  <  j. 
For  any  atomic  (non-tuple)  value  x,  void  <  x,  and  x  <  x. 


EventHandlersi  <  EventHandlers2 
(F,  cmd ,  EventHandlersi)  <  (r,  cmd,  EventHandlers2) 

ExtCorei  <  ExtCore2 


extCore 


(id ext,  ExtCorei,  t)  <  (id ext,  ExtCore 2,i) 


EventHandlersi  <  EventHandlers2 


extCoreR 


(id ext >  'ides,  idt,T,  cmd,  EventHandlersi,  £)  <  (idext,  idcs,  idt,  F,  cmd ,  EventHandlers2,  £) 

url  1  <  url2  nodesi  <ns  nodeS2  DocCSs  1  <  DocCSs2  ti  <  £ 2 

- -  Doc 

(id  d,  urh,  nodesi,  DocCSsi,£i)  <  ( idd,url2,nodes2,  DocCSs2,£2 ) 

Docs  1  <  Docs 2  url  1  <  url2  EventHandlersi  <  EventHandlers2  £1  <  £2 


docCS 


(idt,  Docs  1,  urli,  EventHandlersi,  £1)  <  (idt,  D0CS2,  w/2,  EventHandlersi ,  £2) 


Tab 
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<  N 


N  <l  N'  :  N3  N 1  <  N3,N2  :  N4  nodes  <„l  nodes1  :  N 

nodeSet  1  - 7 - - NODESET2  - 7 - nodeList 


N,  N 1  <  N',  N  2  :  N4 
- — -  nodeListI 


<nL  U  :  w  []  N  :  N 

node  <n  node'  :  N±  nodes  <hl  nodes'  :  N2 


nodes  <l  nodes'  :  N 
nodeList  1’ 


node  ::  nodes  <hl  node  ::  nodes'  :  Ni,N2 
node  <n  node'  :  N±  nodes  <l  nodes'  :  N2 


NODELIST2 


node  ::  nodes  <l  node'  ::  nodes'  :  N\,N2 


NODELIST2’ 


nodes  <l  nodes2  :  N 
nodes  <l  nodes\@nodeS2  '■  nodes i,N 

node  =  (•••,  nodes' ,  •  •  •) 


nodeList3 


node  =  (id,  (),  void,  void,  void) 
node  ::  nodes  <l  nodes'  :  N 


NODELIST4 


[]  <l  node  ::  nodes  :  nodes' ,  nodes 


nodeList5 


(id,  void,  _  )  <n  (id,  _  ,  nodes,  _  )  :  nodes 


NODEl 


nodes  <„£  nodes'  :  N 

(id,  (),  void,  nodes,  void)  <n  (id,  _  ,  nodes' ,  _  )  :  N 
nodes  <„£  nodes'  :  N 

(id,  Vi,V2,  nodes,  £)  <n  (id,  V\,V2,  nodes' ,  €)  :  N 


NODE2 


node3 


MBookmarks  1  =  M Bookmarks  2 

- MBookmarks 

MBookmarks  1  <bkm  MBookmarks 2 


histories  1  =  histories2 

- Histories 

histories  1  <hstrs  histories2 


<B,e 


extCoresB  1 


ExtCoreRi  <  ExtCoreR2  ExtCoreRsi  <B,e  ExtCoreRs2 
ExtCoreRi  =  (idext,  (_  ,  _  ,  EventHandlersi  ::  eh\),  _  ) 
ExtCoreR.2  =  ( idext ,  (_  ,  _  ,  EventHandlers2  e/12),  -  ) 
ehi  =  (eventTypeOf  (e) ,  _  ,  eventQueue1,  _  ,  _  ,  blocking,  _  ) 
e/12  =  (eventTypeOf  (e) ,  _  ,  eventQueue2 ,  _  ,  _  ,  blocking,  _  ) 
if  e  ^  eventQuei ie1  then  e  ^  eventQueue2 
ExtCoreRi  ExtCoreRsi  <s,e  ExtCoreR2  ■■  ExtCoreRs2 


ExtCoreRsi  =  ExtCoreR.Sbi  ■■  ExtCoreRs„.bi 
ExtCoreRs2  =  ExtCoreRsb2  ExtCoreRsnb2  ExtCoreRsbi  <B,e  ExtCoreRsb2 
every  core  in  ExtCoreR.Sbi  and  ExtCoreRsb2  contains  a  blocking  event  handler  for  e 
no  blocking  event  handlers  for  e  in  ExtCoreRsnb  1  and  ExtCoreRsnb2 
ExtCoreRsi  <c,e  ExtCoreRs 2 


extCores-E 
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for  all  blocking  event  e,  ExtCoreRs i  <c  e  ExtCoreRs 2  ExtCoreRs  1  <  ExtCoreRs 2 

- ’ - extCores 

ExtCoreRs  1  <c  ExtCoreRs2 


e  is  a  blocking  event  e  ip 

d/i  =  ip  ::  tkii  ::  'k  |2  ::  ^13  'I'n  contains  states  of  the  form  ProcBlkEvtState(_  ,  _  ,  e) 

d/ 12  contains  states  of  the  form  DoneBlkEvtState(_  ,  id,  e,  c) 

pip  G  tk  13 ,  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  e),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  e,  _  ) 

^2  =  ip  ■■  'I'll  ::  ^12  ::  ^23 

pip  G  \P93)  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  e),  or  ip  =  DoneBlkEvtState(_  ,  id,  e,  _  ) 

- - Browserstates-E 

^1  <c,e  ^2 

for  all  blocking  event  e,  ll;  i  <c,e  'IJ2  ^1  <  d/2 

- -  BROWSERSTATES 

^l  <c  2 


'k  <c 

Ta&s  <  Ta6s,  ExtCoreRs  <c  ExtCoreRs'  MBookmarks  <bkm  MBookmarks ' . 

-  State 

\1/,  Tabs,  ExtCoreRs,  proglnjCSs,  Exts,  MCookies,  MBookmarks,  UI,  sMode  < 

'k',  Tabs' ,  ExtCoreRs' ,  proglnjCSs' ,  Exts' ,  MCookies' ,  MBookmarks  ,  UI,  sMode 

Finally,  we  have  an  additionaly  rule: 

-  STUCK 

stuck  <  £ 

4.3  Lemmas 

We  list  several  lemmas  before  presending  our  main  noninterference  theorem. 

Definition  2  (Well  -formed  configuration).  We  define  wf  ( E )  if  all  of  the  following  hold: 

1.  eh  =  {id,  ■  ■  •)  €  Tab  and  Tab  G  E,  then  node  with  id  exists 

2.  e  =  {ide,  DOM.scriptLoaded,  none,  {idt,  idd,  id),  n),  k  %  £n  where  tn  is  the  lable  of  node  with  ID  id. 
Definition  3  (Matching  component).  We  say  that  comp1  and  comp2  are  two  matching  states  if  the  following  holds: 

1.  comp1  and  comp2  are  components  of  the  same  type 

2.  one  of  the  following  hold: 

(a)  comp1  <  comp2  and  one  of  the  following  holds 

i.  comp1  and  comp2  are  run  time  extension  cores  and 

ii.  comp1  and  comp2  are  injected  content  scripts  ( DocCS ) 

Hi.  comp1  and  comp2  are  lists  of  injected  content  scripts  ( DocCSs) 
iv.  comp1  and  comp2  are  tabs  (Tab) 

(b)  comp1  <c  comp2 
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Lemma  1  (Browserstate  event  relation).  If  ip  e  or  ip  ~nb  e,  then  labOf(ip)  =  labOf(e). 

Proof.  By  examining  the  definition  of  and  ^nb.  □ 

Lemma  2  (Event  enqueue  projection  1). 

1.  If  labOf(e)  C  k  then 

(a)  ( Tab  <3q  e)  j_K=  Tab  4-k<1q  e 

(b)  ( ExtCoreR  <3q  e)  fK=  ExtCoreR  j.K<] q  e 

2.  If  labOf  (e)  E  n  then 

(a)  ( Tab  <3q  e)  j_K=  Tab 

(/?)  ( ExtCoreR  <3q  e)  j.K=  ExtCoreR 

Proof  By  examining  the  definition  of  the  enqueue  operation.  □ 

Lemma  3  (Event  enqueue  projection  2). 

1.  If  Tab i  fK<  Tab2  then  (Tabx  <\q  e )  j_K<  ( Tab2  <3q  e)  j_K. 

2.  If  ExtCoreRi  j.K<  ExtCoreR2  j.K  then  ( ExtCoreRi  <3q  e)  j.K<  ( ExtCoreR2  <3 q  e )  j.K. 

3.  If  ExtCoreRsi  j ,K<C  ExtCoreRs2  then  ( ExtCoreRsi  <3q  e)  j.K<c  ( ExtCoreRs2  <3 q  e )  j.K. 

Lemma  4  (Node  exists  in  Doc).  If  node  =  (id ,  attributes ,  nodes ,  content ,  E)  £  Docs  and  t~  C  n,  then  id  £ 

Docs  j.K. 

Lemma  5  (Node  exists  in  Tab).  If  node  =  (id,  attributes,  nodes,  content,!)  £  Tab  and  Docs  £  Tab,  E~  C  k,  then 
id  £  Docs  j.K. 

Lemma  6  (Independent  component  update).  If  comp1  and  comp2  are  matching  components,  compa  and 
compb  are  two  pairs  of  matching  components,  comp'a  j,K  and  comp'b  are  two  pairs  of  matching  components, 
let  comp)  =  compi[compa  comp'a],  comp'2  =  comp2[compb  <=  compb],  then  comp)  j.K  and  comp)  j.K  are  two 
pairs  of  matching  components. 

Proof.  Given  the  definitions  of  mathcing  components,  it  is  clear  that  the  inner  components  compa  and  compb  are 
projected  independently  of  the  outer  components  ( comp1  and  comp2).  Therefore,  updating  the  inner  components  with 
a  matching  pair  preserves  the  less  than  relation.  □ 

Lemma  7  (Event  handler  update).  1.  IfDocCSi  =  (idextl,idcsl,idri,T1,  cmdi,  EventHandlersi,(i),  DocCS2  = 
(idext 2,  id cs2 1  tdr2,V2,  cmd2,  EventHandlers2,  l2),  DocCS i  j.K<  DocCS 2  fK,  l\~  E  k,  EventHandlersi  = 
EventHandlers )  ::  eh\,  EventHandlers2  =  EventHandlers)  ::  eh2,  eh)  j,K<  eh)  j,K,  then  DocCS \[eh\  4=  eh)]  4.K< 
DocCS 2[eh2  eh)]  fK. 

2.  If  ExtCoreRi  =  (idexti,  (ri,  cmd\,  EventHandlersi) ,  If),  ExtCoreR2  =  (idext2,  (T2,  cmd2,  EventHandlers2),£2), 
ExtCoreRi  4-k<c  ExtCoreR2  j.K,  !f~  E  k,  EventHandlers i  =  EventHandlersi  ::  eh i,  EventHandlers2  = 
EventHandlers 2  ::  eh2,  eh1  j,K<  eh2  \.K,  for  any  blocking  event  e,  e  in  the  queue  of  e/t1  iff  e  in  the  queue  of 
eh)  then  ExtCoreRi[ehi  4=  eh)]  j.K<c  ExtCoreR2[eh2  eh'2\  fK. 

Proof.  The  projection  of  event  handlers  is  independent  of  the  rest  of  the  elements,  so  swapping  related  event  handlers 
on  both  sides  mains  the  relation.  □ 
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Lemma  8  (Event  handler  update  in  page  scripts).  IfDocsi  j,K<  D0CS2  node  1  £  Docs\  and  nodei  =  (idn,-  ■  ■  ,£), 

IZ  k,  node 2  £  D0CS2  and  node 2  =  ( idn ,  ■■■,£),  nodei  j.K<„  node 2  in.  prur\e(EventHandlersi  j.K,  Docs\  j.K)  < 
prune(EventHandlers2  iK,DocS2  4-k)>  EventHandlers  1  =  EventHandlers'i  ::  e/ii,  EventHandlers2  =  EventHandlers2  :: 
eh 2,  eh\  4<KC  eh'2  in,  £'  E  k,  node 3  =  nodei  [(  <=  £'\,  node2  =  node 2^  -4=  f'],  node'i  iK<n  node'2  in  f/ze« 
prune(i?r;en(ffandZers1  ::  e/z^  4-k,  Docsi [nodei  4=  node-J  4-k)  <  prun e(EventHandlers2  ::  eh2  j.K,  DocS2[node2  <=  node2]  4-K), 

Proof.  Use  Lemma  4.  The  updated  node  still  exists  after  the  projection.  Further,  the  udpated  event  handlers  are 
related.  Therefore,  the  pruned  event  handlers  are  also  related.  D 

Lemma  9  (Browserstate  relation  1).  Given  any  blocking  event  e  and  'E'i  <c  *2  .if 

1.  ip  ~b  e 

2.  Af1=ip  ::  $u  ::  fia  ::  ^13, 

'Ll!  contains  states  of  the  form  ProcBlkEvtState(_  ,  _  ,  e), 

4/12  contains  states  of  the  form  DoneBlkEvtState(_  ,  _  ,  e,  _  ), 

$ip  £  4/i3  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  e),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  e,  _  ), 

3.  ^2  =  ip  ::  4-n  ::  tf12  ::  ^23, 

ft/)  £  4/23,  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  e),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  e,  _  ). 
we  have  rhis  <c  rp23- 

Lemma  10  (Browserstate  relation  2).  If 'hi  <c  ^2,  ip  (E'i,  (E'i  ::  ip  <c  '$>2  ::  ip. 

Lemma  11  (Browserstate  relation  3).  If\ E'i  <c  (E^,  W>  £  (E'i ,for  all  blocking  event  e,  ip  f>b  e  imply  Afi\ip  <c  d/2 \ip- 

Lemma  12  (Browserstate  relation  4).  If 'h  1  <c  (K2,  Vt/>  £  (E'i,  for  all  blocking  event  e,  ip  7^5  e  and  ip  is  not  a 
DoneBlkEvtState(-  •  •)  or  ProcBlkEvtState(-  •  •)  related  to  e  imply  VP1\^  <c  4'2. 

Lemma  13  (Next  browserstate’s  label).  If  (ip e')  =  nextState(ip,vo\d),  then  labOf(ip )  E  labOf(ip')  =  labOf(e'). 

Lemma  14  (nextStateC).  When  the  transitions  are  not  CSINJECTION,  BeforeFetcheAllowed,  BeforeFetch- 
DocAllowed,  BeforeFetchDocBlocked(I),  BeforeFetchDocBlocked(2),  DomAppendChildren(I), 

27i  j,K<  272  in,  ip  £  Ei,  nextStateC(27i,  ip)  =  E(,£i  implies  one  of  the  following  holds 

1.  nextStateC (L2,  ip)  =  E2,£2  and  E[  j.K<  E2  in,  £1  \.K<  £2  in- 

2.  E'i  j,K<  E2  iK,  £1 1=  ■. 

Lemma  15  (Synchronous  calls).  £j  j,K<  E2  in,  E\  =  Ectx  \  T,  API s(e)  \  vj, 

1.  if  Ei  -—^apj.,  E\ :  £\  then  one  of  the  following  holds 

(a)  E2  -E>a PIb  E'2\ £'2  and  E[  fK<  E’2  and  £(  fK<  £'2  fK 

(b)  E'i  j.K<  E2  in  and  £(  iK=  ■ 

2.  if  Ei  —A  api„  E\ ;  £[  and  a  iK=  ■  then  E[  j,K<  E2  in  and  £(  iK=  • 

3.  if  Ei  EEfAPIs  £\  and  a  iK=  a  then  E2  -^A-apis  E2,£2,  E[  iK<  E2  iK  and  £(  iK<  £2  j,K 
Lemma  16  (One  step  simulation).  Hi  j_K<  S2  iK,  Ei  j,K<  E2  J,K  and  £1  j,K<  f2  in 

1.  if  Ei ;  Ei ;  £x  — Sj;  E[]  £  [  then  one  of  the  following  holds 
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(a)  H2;  E2\  £2  S'2;  £2;  and  E[  lK<  E'2  J,re,  I7(  |K<  E'2  fK,  and  £[  fK<  £2  fK 

(b)  Hi  |K<  H'2  lK,  E[  |K<  r2  fK  and  £[  fK<  £2  U 

2.  if  Ei,  E\\£\  Hi;  E[-,£[  and  a  fK=  ■  then  Hi  |K<  H2  E[  |K<  272  J,K  and  £[  |K<  £2  4-« 

3.  if  Ei~  Ep,£ !  -^4  Hi;  I7{;  £(  cmd  a  fK=  a  then  H2;  r2;  £2  -4-  H'2;  i72;  £'2,  H'x  jK<  H2  4,  4  J,K<  r2  J,K  cmd 
£(  4-re^  <?2  4-re 


cmd  die  transitions  do  not  have 


Lemma  17  (Multi-step  simulation). 

If  ^1  4-k<  4-k>  £>1  4-k<  4  Ik>  ft  4-k<  £-2  -Ik  then  Vp  S.t.  Si  \Ei\£i- 

declassification  steps  exists  p'  such  that  p  =K  p'  and  H2;  E2  \  £2  =4 

Proof  By  induction  on  the  number  of  transition  steps,  in  the  inductive  case.  Use  Lemma  16.  □ 

Theorem  18  (Noninterference). 

If  ^  t  \-k, —  --2  E\  —  E2  fny  £i  fn —  £“i  4-«  then 

•  Vp  s.t.  Hi;  Ei]  £i=$-  and  the  transitions  do  not  have  declassification  steps  exists  p'  such  that  p  =K  p'  and 


H2;  E2]£2  =4 
Vp  s.t.  H2;  E2\£2 
Ei-Ei-£i^ 


and  the  transitions  do  not  have  declassification  steps  exists  p'  such  that  p  =K  p'  and 


Proof.  Because  the  initial  states  are  the  same,  so  Hi  fK<  E2  J,re,  E\  fK<  E2  £\  |K<  £2  fK  and  =l2  |k<  Hi  j.K, 

4  4-re<  £?1  4'fc-  £ 2  4-k<  £l  4-re- 

The  conclusion  follows  from  Lemma  17  directly.  □ 


5  Proofs 

5.1  Proof  of  Lemma  16 

case:  Context 

There  are  three  subcases:  (1)  the  script  is  a  page  script  handler,  (2)  the  script  is  a  content  script  and  (3)  the  script  is 
in  the  extension  core. 

Subcase:  the  script  is  a  page  script  handler. 

Let  I7i  =  ('Ll,  Tabsi  ::  Tabi,  ExtCoreRsi,  progInjCSs1,  Extsx,  Cookiesi,  MB ookmarksi,  histories i,  UIi) 

E2  =  ('L2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  Exts2,  Cookies2,  MB ookmarks2,  histories 2,  UI2) 

By  assumptions 

Ei  —  Ecix  |  T,  cmd  | id 

Tab\  =  Tabctx  1 1\  cmd  =  (TabID i,  Docs\  ::  DocenvjTl,  url\,  EventHandlersi  ::  EventHandler CfX\  cmd  \id,i i) 

and  E[  =  Ectx\V ,  cmd'  \ld,  £[  =  £x 

Assume  that  the  label  of  the  node  with  ID  id  is  £n:  ctxOfld(U| ,  id)  =  in 

sub-subcase  i.  £n~  E  k 

By  Lemma  5, 

id  £  Docs i  4-k,  and  exists  nodeenv  [  T  \id  £  Docenv  4-K 

By  definition  of  Prune, 

(1)  EventHandler ctx\  cmd  £  Tab\ 
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By  27i  J,K<  E2  4-k 

(2)  Tabs2  =  Tabs'2  Tab2  and  EventHandlerCfX\  cmd  |i(j  G  Tab2  4-k 

By  definitions  and  (2), 

(3)  exists  Docs'2  G  Tab 2  4-k  and  exists  nodeenv\  T  [id  G  Docs'2  s.t.  nodeenv I  r  [ <n  node'env\  T  \id 
By  (2)  and  (3) 

(4)  Tab2  =  (TabID 2,  Z)ocs2[]r[,  url2,  EventHandlerS2  EventHandlerCfX\  cmd  []*<*, ^2) 

Apply  Context  to  272,  let  272  =  27cte2 1  r,  cmd  |]id 

(5)  Ectx2\  r,  cmd  Ectx2\T',  cmd'  !id;£2 

By  ^1  4-k—  ^2  4-k,  ^1  ^ctx I  F,  cmd  [ id,  E2  r,  cmd  lid, 

and  Context  does  not  change  Ectx  and  Ectx2 

(6)  Ectx I  r',  cmd'  lid  4-k<  27cteg[  T',  cmd'  |id 
By  assumption 

(7)  £1 4-K<  £2  4-k 

(8)  £[  iK=  £\  4<k<  S2  4-k 
sub-subcase  ii.  tn  ~  %  k 

By  definitions 

(1)  id  ^  Docs  1  4-k  and  EventHandlerCfX\  cmd  ]id  ^  Tab  1  4-k  and  nodeenv  1  r  [id  ^  Tabi  4-K 
By  A1!  4-k<  272  4-k,  Ei  =  Ectx  [  T,  cmd  [  jd,  and  CONTEXT  does  not  change  Ectx 

(2)  Ectx  1  r',  cmd'  lid  4-k=  Ectx\ r,  cmd  !id  4-k<  E2  4-k 
By  assumption 

(3)  £\  4-k<  £2  4-k 

Subcase:  the  script  is  a  content  script  handler 

Let  Ei  =  Tabsi  ::  Tabi,  ExtCoreRsi,  proglnjCSsi,  Exts\,  Cookiesi,  MB ookmarksi,  histories  1,  UIi ) 

E2  =  (4,2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  Exts2,  Cookies2,  MB ookmarks2,  histories 2,  UI2) 

By  assumptions 

Ei  —  Ectx  1  r,  cmd  1  id 

Tabi  =  TabCfX\  T,  cmd  lid  =  (TabID  1,  Docs\  ::  DocCfX\  T,  cmd  [id,  url  1,  EventHandlersi,  £1) 

Docctx\  B,  cmd  1  id  (xdd,  url,  nodes,  DocCSs  ..  DocCSefX\  r,  cmd  lid,^d) 

£>ocCS'%fjl  r,  cmd  [id  =  (*de2;t,  «d,  zdt,  [rj,  [cmd],  i?t;en<Lfand/ers,f?) 

or  ( idext ,  id,  idt,  Jr],  cmd,  EventHandlers  ::  EventHandlerCfX\cmd\,t ) 

sub-subcase  i.  f  C  k 

By  DS 1, 

DocCS’cfxl  r,  cmd  [id  4-k=  ( idext ,  id,  idt,  [r[,  \  cmd\,  EventHandlers  lK,£) 

or  DocCS CfX\  r,  cmd  lid  4-k=  {idext,  id,  idt,  [L] ,  cmd,  EventHandlers  4-k::  EventHandler  CfX\cmd\  4-K,£) 

By  definition 

(1)  DocCSctx  1  r,  cmd  \id  4_KG  Tabi  4-k 
By  27i  4-k<  E2  4-k 

(2)  Tabs2  =  Tabs'2  Tab2  and  DocCSCfX\  F,  cmd  lid  4-k€  Tab2  4-k 

By  definitions  and  (2) 

(3)  exists  DocCS ctx\  T,  cmd  1  id  G  DocCSs' ,  DocCSs'  G  Doc 4  Doc  G  Docs',  Docs'2  G  Tab2  4-k 
By  (2)  and  (3) 

(4)  Tab2  =  (TabID2,  Docs'  ::  Doc'C(XlT,  cmdlid,url2,  EventHandlers2,£2) 

Apply  Context  to  272,  let  272  =  Ectx2\T,  cmd \ld 

(5)  Ectx2 1  T ,  cmd  lid;  £2  -Befell  r',  cmd'  1  id ;  <^2 

By  27i  4-k™  E‘2  4-k,  Ei  —  27CiX|  r,  cmd  | id,  E2  —  Ec^x2^  r,  cmd  lid, 

and  Context  does  not  change  Ectx  and  Ectx2 
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(6)  Sctx\  r',  cmd '  lid  iK<  Sctx2\  r',  cmd!  !id  lK 

By  assumption 

(7)  £i  4,k<  £ 2  \ -k 

(8)  £(  U=  £\  4<k<  £2  4-k 

sub-subcase  ii.  £~  %  k 

By  DS2 

(1)  DocCSctx\ r,  cmd  \id  £  Tab1  \.K 

By  Si  J,K<  S2  iK,  S\  =  Sctx  |  r,  cmd  [id,  and  CONTEXT  does  not  change  Ectx 

(2)  Sctx  1  r',  cmd'  lid  iK=  Sctx  1  r,  cmd  \id  iK<  S2  iK 
By  assumption 

(3)  £\  4,k<  £2  \-K 

Subcase:  the  script  is  in  extension  core 

Let  Si  =  ('F1,  Tabsi,  ExtCoreRsi  ::  ExtCoreR,  proglnjCSsi,  Extsi,  Cookiesi,  M Bookmarks  1,  histories  1,  UI 1) 
S 2  =  (’F2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  Exts2,  Cookies2,  MB ookmarks 2,  histories 2,  UI2) 

By  assumptions 

Si  Scix  1  r,  cmd  1  id 

ExtCoreR  =  ExtCoreRctx\  F,  cmd  \id  =  (id,  ( [L] ,  [cmd],  EventHandlers) ,  l) 
or  (id,  (^1,  cmd,  EventHandlers  ::  EventHandler Ctx\cmd\) ,  £) 

sub-subcase  L<"Ck 
By  ExtCoreI, 

ExtCoreRctx  1  T,  cmd  \id  \.k—  (id,  ([T],  [cmd],  EventHandlers  iK),£) 

or  ExtCoreRctx\T ,  cmd  \id  \-k=  (id,  (jT\,  cmd,  EventHandlers  Ik'-  EventHandlerCfX\cmd\  4.K),£) 

By  definition 

(1)  ExtCoreRctx  1  r,  cmd  1  id  £1  Ik 

By  Si  lK<  S2  Ik 

(2)  ExtCoreRctx\  F,  cmi &  D id  4-kC  ExtCoreRs2  \.K 

By  definitions  and  (2) 

(3)  exists  ExtCoreR'ctxl  T,  cmd  lid  ExtCoreRs2 

s.t.  ExtCoreRctx\  F,  cmd  lid  4-K<  ExtCoreR'ctx\  F,  cmd  lid  iK 
let  S2  =  Sctx2 1  r,  cmd  \id,  apply  Context  to  S2, 

(4)  sctx2 1  r,  cmd  lid;  £2  Ectx2 1  r',  cmd'  |id;  £2 

By  Si  \-kS:  F2  \-k.  Si  —  Scfx |  r,  cmd  \id,  S2  —  £dctX2  \  F,  cmd  1  -id •» 
and  rule  CONTEXT  does  not  change  Sctx  and  Sctx2 

(5)  Sctx  1  r',  cmd'  lid  Ik<  %ctx2 1  r',  cmd'  lid  iK 
By  assumption 

(6)  £1  4<k<  £2  4-k 

(7)  £'1  4,k=  £1  4-k<  £2  4-k 
sub-subcase  ii.  t~  %  n 

By  ExtCore2 

(1)  ExtCoreR  J.K=  •,  ExtCoreRctx\  F,  cmd  \td  £  Si  \.k 

By  Si  Ik<  -F 2  Ik  Fi  =  Sctxj  r,  cmd  lid,  and  CONTEXT  does  not  change  Sctx 

(2)  Sctx  1  r',  cmd'  lid  Ik=  ^ctx  1  T ,  cmd  lid  iK<  F2  iK 
By  assumption 

(3)  £1  4,k<  £2  Ik 

case:  Return-Core 
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Let  E\  =  ('Ll,  Tabsx,  ExtCoreRsi, proglnjCSsx,  Extsx,  Cookiesx,  MB ookmarksi,  histories i,  UIi) 

E2  =  Tabs2,  ExtCoreRs'2,  progInjC'Ss2,  Exts2,  Cookies2,  MB ookmarks2,  histories 2,  UI2 ) 

By  assumptions 

(Al)  E1  =  Ectx\T,  retv  lid 

(A2)  ExtCoreRCfx\  T,  ret  v  \id  €  ExtCoreRsi 

(A3)  Ext-CoreR  =  ExtCoreRctx\  T,  ret  v  =  (id,  (|]r|,  cmd,  EventHandlers  ::  EventHandler ctx  \ ret 
(A4)  EventHandler  ctx |retu[  =  (ideh,  eventType,  x. cmd,  £,  [ ret  v[,  ide,  nonblocking,  some(i?,  idr)) 

(A5)  E[  =  E'ctx\V,  skip  ld  =  Ectx\T,  skip  I«[*i  <=  ::  ^r] 

(A6)  ip  i  =  ayncAPIRetState(R,£~  ,idr,v) 

(A7)  £\  =  £1 

sub-subcase  i.  t~  C  k 
By  ExtCoreI, 

(1)  ExtCoreRctx\  I\  ret  v  \id  4-k=  (id,  ( [r[ ,  cmd,  EventHandlers  EventHandlerctx [ ret  v[ 

(2)  ExtCoreRctx  I  r,  ret  v  \id  4_Ke  Ei  4_K 
By  ExtCoreRsi  4.K<  ExtCoreRs2 

(3)  3ExtCoreRctx'\  I\  ret  v  \id  G  ExtCoreRs2 

s.t.  ExtCoreRctx I  I\  ret  v \ld  ExtCoreRctx'\  T,  ret  v  \id  U 

ExtCoreRctx  \  T,  ret  v  \id  )_K=  (id,  ( [L[ ,  cmd,  EventHandlers  EventHandler'ctx [ ret  u[  iK),£) 
EventHandlers  \.K<  EventHandlers1  ,J,K 

EventHandler'ctx fret  v[  =  (ideh,  eventType ,  x.cmd,  £ 1 ,  | ret  u|,  ide,  nonblocking,  some(i?,  idr )) 

£  Ik<  £'  Ik 

let  E2  =  Ectx2  [  T,  ret  v  1  id,  apply  Return-Core  to  E2, 

(4)  Ectx2\T,  ret  v\ld;£2  -4  E'ctx2  f  E,  skip }id;  £2 

(5)  E'ctx2(id)  =  Ectx2(id)[A> 2  <=  ^2  ::  ip2] 

(6)  ip2  =  ayncAPIRetState(R,  t~ ,  idr,v)  =  tpx 
By  BrowserstateI 

(7)  Ipi  iK=  Ipl,  1p2  4= 

By  ’Ll  iK<c  ^2  Ik,  Lemma  10 

(8)  ('Ll  ::  ipi)  ,J.K<C  (^2  ::  ip2)  4 

By  Ex  iK<  E2  iK,  Ex  =  Ectx\T,  ret  v  [id,  4  =  Ectx2\T,  ret  v  \id,  (5),  (6),  and  (7) 
and  Return-Core  only  change  the  browser  state, 

(9)  r'telr',skip[ld4,K<  E'ctxS\ r', skip  lid  iK 

By  assumption 

(10)  £'x  U<  £2  4 

sub-subcase  ii.  C~  %  k 

By  ExtCore2 

(1)  ExtCoreR  •,  ExtCoreRctx\  4  ret  v  [4  ^  Ex 
By  Browserstate2,  ExtCore2 

(2)  ipi  J,K=  •,  ExtCoreRctx 1  4  skip  \id  £  E(  \.K 

By  Ex  iK<  E2  iK,  Ex  =  Ectx\T,  ret  v  [id,  and  E[  =  E'ctx\ T,  skip  \id,  (1)  and  (2) 

(3)  E'x  4_k=  Ex  4_k<  E2 
By  assumption 

(4)  £[  J,K=  £1  PK<  £2 


case:  Return-CS,  Return-Page,  Return-N-Core,  Return-N-CS,  Return-N-Page:  the  proofs  are  similar 
to  the  proofs  for  Return-Core. 

case:  Return-Core-Blocking 
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Sctx{id)  =  (\tr,  Tabs,  ExtCoreRsCfX(id) ,  ■  •  •) 

d/  =  'F'  ::  ProcBlkEvtState(£_,  idr,e )  ExtCoreRctx(id )  €  ExtCoreRsCfX(id) 

ExtCoreRctx(id)  =  (id,  _  ,  EventHandlers  ::  EventHandlerctx,  £) 
EventHandlerctx(id )  =  (•••,  blocking,  some(e,  idr )) 
ip  =  DoneBlkEvtState(F_,  idr,  e,  v)  E'ctx(id)  =  Ectx(id)[^  \F  ::  ip] 

Ectx\T,retvlid;£  -4  E'ctx\ T,  skip  |ld;  £ 


Return-Core-blocking 


Let  E\  =  (’Ll,  Tabs\,  ExtCoreRsi, progInjCSs1,  Exts\,  Cookiesi,  MB ookmarksi,  histories i,  UI i), 

ExtCoreRsi  =  ExtCoreRs [  ::  ExtCoreRi 

S'2  =  (^2,  Tabs'2,  ExtCoreRs 2,  progInjCSs2,  Ext S2,  Cookies2,MBookmarks2,histories2,  UI 2) 

By  assumptions 

(Al)  E\  =  Ectx\  r,  ret  v  [id 

(A2)  ExtCoreRi  =  ExtCoreRCfX\  F,  ret  v  \id  =  (id,  ( [F [ ,  cmd,  EventHandlers  1  ::  EventHandlerictx\ret  vf),£) 

(A3)  EventHandlerctx | ret  v[  =  (ideh,  eventType,  x. cmd,  £,  [ret  v[,  ide,  blocking,  some(e,  idr)) 

(A4)  'Ll  =  W"  ::  ipia,  ipia  =  ProcBlkEvtState(£“,  idr,  e) 

(A5)  ip ib  =  DoneBlkEvtState(£“,  idr,  e,  v) 

(A6)  E’l  =  r'tx[r,skip[ld  =  Ectx\  T,  skip  jid [d/i  <^=  'Ll  ::  ipib\ 

(A7)  E'i  =  Si 
sub-subcase  i.  I~  C  k 
By  ExtCoreI, 

(1)  ExtCoreRCfX [  T,  ret  v  4k=  (id,  ( [F] ,  cmd,  EventHandlers  1  4k"  EventHandlerictxjret  t>]  4k),  (0 

By  definition 

(2)  ExtCoreRctx\  T,  ret  v  [id  4k G  Ei  4K 
By  Ei  4k<  E2  4 -k 

(3)  ExtCoreRs  1  4k<c  ExtCoreRs2  4k 

(4)  $1  4k<c  ^2  4k 
By  (3) 

(5)  ExtCoreRs  1  4k<  ExtCoreRs2  4k 

(6)  ExtCoreRs2  =  ExtCoreRs '2  ::  ExtCoreR2,  s.t.  ExtCoreR2  ExtCoreRi  4k 

(7)  and  ExtCoreR2  =  ExtCoreRctx'\  T,  ret  v  =  (id,  (|r[,  cmd,  EventHandlers2  ■■  EventHandler  2Ctx\r&  u[),^) 
and  ExtCoreRctx\  F,  ret  v  [id  4k<  ExtCoreR'ctx\  F,  ret  v  [id  4k 

and  EventHandlers  1  4k<  EventHandlers2  4k 
and  EventHandler lcprlret  u[  4k<  EventHandler2ctxirei  4k 
Let  EventHandler 2ctx|ret  u|  =  (ideh,  eventType,  x.cmd,  £' ,  [ret  t>[,  ide,  blocking,  some(e,  idr)) 

By  (7) 

(8)  £  4k<  S'  4k 
By  (4),  Lemma  1 

(9)  'Ll  4k=  ipi  ■■  ’Fit  ::  ^12  ::  'F|3,  where  ipi  ~e>  e 

d^n  contains  states  of  the  form  ProcBlkEvtState(_  ,  _  ,  e) 

^12  contains  states  of  the  form  DoneBlkEvtState(_  ,  id,  e,  c) 

flip  £  dr  13,  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  e),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  e,  _  ) 

(10)  \hp  €  ip  1  ::  'Ll!  ::  d/i2,  labOf(ip)  =  labOf(e) 

(11)  tpia  S  ipn, 

(12)  d>2  4k=  ipi  ■■  *F 1 1  ::  ^12  ::  ^23 

-flip  £  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  e),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  e,  _  ) 
let  E2  =  EctX2 1 F,  ret  v  \id,  by  (6),  (11),  (12),  we  can  apply  Return-Core-Blocking  to  E2, 

(13)  ip2b  =  DoneBlkEvtState(F“,  idr,  e,  v)  =  ipib 
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(14)  £^2 1  r>  skip  lid  =  ^ctxsl  r,  skip  jid [\L2  <=  4/ 2  ::  fob] 

(15)  Ectx2 1  r,  ret  v  |id;  ^2  E'ctx2 1  r,  skip  |id;  £2,  £2  =  £ 2 
Return-Core-Blocking  does  not  change  the  event  handler  other  than  the  current  command 

(16)  ExtCoreRctx I  T,  skip \id  |K<C  ExtCoreRctx'\ T,  skip  [id  fo 
By  (9),  (13),  browserstateI,  Lemma  10 

(17)  ('Ll  ::  fob)  Ik<c  (^2  "  fob)  in 

By  Ex  4-«<  E2  in,  Ei  =  Ectx I  T,  ret  v  \id,  E2  =  Ectx2\ T,  ret  v  ] id,  (A6)  (14),  (17)  and  state 

(18)  r'te|r,skipild  j.K<  r'te2|r,skip|id  fo 
By  assumption,  (A7),  (15) 

(19)  £[  U<  £!2  U 

sub-subcase  ii.  l~ 

By  ExtCore2 

(1)  ExtCoreR  \.K=  •,  ExtCoreRCfX\  F,  ret  v  [jd  ^  E\  4-K 
By  Browserstate2,  Lemma  1 

(2)  fob  fo=  •>  ExtCoreRctx [  T,  skip  [id  ^ 

o)  $i  |K=  $1  u<c  w2 

By  F1!  fo<  E2  lK,  E1  =  Ectx\  r,  ret  v  \id,  and  E[  =  E'ctx [  T ,  skip  |id,  (2)  and  (3) 

(4)  Ei  4-k=  E\  fo<  E2  lK 
By  assumption 

(5)  £'1  J,K=  £1  4-K<  £2  4.,- 


case:  SkipAPICall-S1 

There  are  three  subcases:  (1)  the  script  is  a  page  script  handler,  (2)  the  script  is  a  content  script  and  (3)  the  script  is 
in  the  extension  core. 


£  =  ctxOfld(27cte[  r,  API s{v)  \id,id) 

t~  C  labOf  ( APIS)  the  last  argument  of  v  is  not  a  label 

_ 1 _ 1 _ _ _ SkipAPICall-S  1 

Ectx I  T,  APIs(v )  \id;£  Efo  Ectx\  T,  void  lld;£ 

Subcase:  the  script  is  a  page  script  handler. 

Let  Ei  =  (’Ll,  Tabsi  ::  Tabi,  ExtCoreRsi,  proglnjCSsi,  Extsi,  Cookiesi,  MBookmarksi,  histories^,  UIi) 
E2  =  (^2,  Tabs2,ExtCoreRs2,progInjCSs2,Exts2,  Cookies2,  MBookmarks2l  histories2,  UI2 ) 

By  assumptions 

Ei  =  Ectx\T,APIs(e)  \id 
Tabi  =  Tabctx\T,  API  s{e)\ld  = 

(TablDi,  Docsi  ::  Docenv\T\,  url\,  EventHandlersi  ::  EventHandlerCfX\  API s(e)  \id,£\) 
and  E[  =  Ectx [  V ,  void  \id,  £[  =  £x 

Assume  that  the  label  of  the  node  with  ID  id  is  in:  ctxOfld(I7i,  id)  =  £n 

sub-subcase  i.  £„  ~  C  k 

By  Lemma  5, 

id  £  Docs  1  4-k?  and  exists  nodcenv  |  r  |id  £  |r|  4-k. 

By  definition  of  Prune, 

(1)  EventHandlerctx\  APIs(e)  \id  £  Tabi  fo 
By  Ei  |K<  E2  Ik 

(2)  Tabs2  =  Tabs'2  Tab2  and  EventHandlerCfX\  APIs(e)  \id  £  Tab2  4_K 

By  definitions  and  (2) 
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(3)  exists  Docs'2  £  Tab2  *U  and  exists  node 'env  \  T  €  Docs'2  s.t.  nodeenv I  r  [id  <n  nodeenv  \  T  [id 
By  (2)  and  (3) 

(4)  Tab2  =  ( TabID2 ,  -Docs2[r[,  url'2,  EventHandlers2  ::  EventHandler  cjx\  APIs{e)  [id,  ^2) 

By  (3),  assumption,  and  node'env |  T  \id  =  ( id ,  attributes' ,  nodes' ,  [F[ ,  £n) 

(5)  in~  %  labOf {APIS) 

Apply  SkipAPICall-S1  to  F2,  let  F2  =  Ectx2  \  T,  APIs{e)  \ld 

(6)  Ectx2 1  r,  API s{e)  jid', £2  — >  ^ctx2 [  r,  void  \id',£ 2 
By  A 

^2  -]•-«;>  ^1  ^ ctx  |T  ,APIs(e)\  id->  ^ 2  —  dx2  I  T,APIs{e)  [id, 

and  SkipAPICall-S  1  does  not  change  Ectx  and  Sctx2 

(2)  Fetal  r,  void  [id  £*ctx2  [  B,  VOld  [id  \-k 
By  assumption 

(8)  £\  U<  £2  4-k 

(9)  £[  iK=  £\  £2  in 

sub-subcase  ii.  In  ~  %  n 

By  definitions 

(1)  id  Docs  1  4<k  and  EventHandler  CfX\  API s{e)  [id  ^  Tab  1  and  nodeem;[  T  [id  ^  Tab  1  4-K 
By  Fl  4,k<  F2  4,k,  Fi  =  Fetal  I\  API s(e)  [id,  and  SkipAPICall-S  1  does  not  change  Ectx 

(2)  Fetal  r,  void  lid  lK=  Ectx\T,APIs{e)  [id  |K<  F2  ±K 
By  assumption 

(3)  £\  U<  £2  \-K 

Subcase:  the  script  is  a  content  script  handler 

Let  Ei  =  Tabsi  ::  Tabi,  ExtCoreRsi,  proglnjCSsi,  Extsi,  Cookiesi,  MB ookmarksi,  histories  1,  UI 1) 

F2  =  (^2,  Tabs2,ExtCoreRs2,progInjCSs2,Exts2,  Cookies2,  MB ookmarks 2,  histories 2,  UI2) 

By  assumptions 

Fr  =  Fete  [  r,  API,  (g)  [id 

Tab\  =  TabrtAT,  API  s(e)  hd  =  {TablDi,  Docs\  ::  Pocc/r[  I\  AP/s(e)  Ld,  url\,  EventHandlersi,  £\) 

Docctx\  T,  4P7s(e)  [^  =  (*dd,  «r/,  nodes,  PocCSs  ::  DocCSctx\ V ,  API  s{e)  [w,  £d) 

DocCSsctx |  r,  APIs(e)  \id  =  {idext,  id,  idt,  [L[,  |  API s{e)j,  EventHandlers,!) 

or  {idext,  id,  idt,  [T[,  cmd,  EventHandlers  ::  EventHandler  CfX\API  s{e)\,  I) 

sub-subcase  LLCk 
By  DS 1, 

DocCSctx\  r,  APIs{e)  [id  iK=  {idext,  id,  idt,  [r[,  \  API s{e)\,  EventHandlers  iK,I) 

or  DocCS CfX\  r,  API s{e)  [id  4-K=  {idext,  id,  idt,  [T[,  cmd,  EventHandlers  ,J.K::  EventHandler  CfX\API  s{e)\  \.K,l) 

By  definition 

(1)  DocCSctx\  r,  APIs{e)  \ld  Ue  Tabi  iK 
By  Ei  4,k<  E2 

(2)  Tabs2  =  Tabs2  ::  Ta&2  and  DocCSctx\  F,  APIs{e)  \id  Tab2  iK 

By  definitions  and  (2) 

(3)  exists  DocCS'ctx  \  T,  API s{e)  \ld  £  DocCSs1,  DocCSs'  £  Doc  ,  Doc  £  Docs',  Docs'2  £  Tab2  4-K 
DocCS'ctx\ r,  APIs{e)  | ^  =  {idext,  id,  idt,  [T[,  [AP/s(e)[,  EventHandlers' , l) 

or  {idext,  id,  idt,  |T[,  cmd ,  EventHandlers'  ::  EventHandler CfX\API s{e)\,t) 
s.t.  DocCSctxl  r,  APIs{e)  |id  <  DocCS'ctx [  T,  APIs{e)  [id 
By  (2)  and  (3) 

(4)  Tab2  =  { TabID2,  Docs'ctx\  T,  APIs{e)  [id,  url2,  EventHandlers2, 1 2 ) 

By  assumption 

(5)  i~  %  labOf {APIS) 
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Apply  SkipAPICall-S1  to  E2,  let  E2  =  Ectx2\ B,  APIs(e)  \id 

(6)  ^ ctx2  \Y,APIs(e)\id-£2  -4  Ectx2\  T,  void  |*  ;£2 

By  27i  4'K—  *4  4- k 5  *4  —  ^ctx  |  B,  APIs(e)  |ic;,  E2  —  EctxZ  |  B,  API s(e)  | id, 
and  SkipAPICall-S  1  does  not  change  Ectx  and  Ectx2 

(7)  Ectx  |  r,  void  'I'K—  ^ctx2  Q  B,  void  | %d  4^ 

By  assumption 

(8)  E\  4-k<  £2  4 -k, 

(9)  £(  iK=  £\  iK<  £2  U 

sub-subcase  ii.  t~  %  n 

By  DS2 

(1)  DocCSctx I  B,  APIs(e)  U  £  Tabl  4 

By  E\  4-k<  E2  iK,  E\  =  Ectx  |  B,  API s(e)  \id,  and  SkipAPICall-S  1  does  not  change  Ectx 

(2)  rcte||r,void  jid  4_k=  Ectx\T ,  API  s(e)  [id  4_K<  E2  ±K 
By  assumption 

(3)  £\  4-k<  £ 2  4-k 

Subcase:  the  script  is  in  extension  core 

Let  Ei  =  ('Ll,  Tabsi,  ExtCoreRsi  ::  ExtCoreR,  proglnjCSsi,  Extsi,  sModei) 

E2  =  ('L2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  Exts2,  Cookies2,  MB ookmarks2,  histories 2,  UI2) 

By  assumptions 

Ei  =  Ectx\T,APIs{e)  lid 

ExtCoreR  =  ExtCoreRCfX\  B,  APIs(e)  [j  d  =  (id,  ( I  B[ ,  \API  s(e)\,  EventHandlers) ,  £) 
or  (id,  (|B[,  cmd ,  EventHandlers  ::  EventHandler ctx\API s(e)[) , I) 

sub-subcase  U'Ck 
By  ExtCoreI, 

ExtCoreRctx\  T,APIs(e)  l,:d  iK=  (id,  (|r|,  \  API 3(e)\,  EventHandlers  \ ,K),I) 

or  ExtCoreRCfX\  T,  APIs(e)  4-k=  (id,  (|r[,  API s(e),  EventHandlers  4-K::  EventHandler  CfX\cmd\  iK),£) 

By  definition 

(1)  ExtCoreRctx\  B,  APIs(e)  ]id  4_Ke  Ei  4_K 
By  Ei  4_k<  E2  iK 

(2)  ExtCoreRctx\  T,  APIs(e)  \.id  4_Ke  ExtCoreRs2  iK 

By  definitions  and  (2) 

(3)  exists  ExtCoreR'ctx2\  B,  APIs(e)  \id  ExtCoreRs2  4-K 

s.t.  ExtCoreRctx\  r,  APIs(e )  \id  4_K<  ExtCoreR' ctx2 1  B ,  APIs(e)  \id  iK 
By  definitions  and  assumption 

(4)  ctx0fld(4>,  id)  =  £',  £'  =  £,  £!~  %  labOf (APIS) 

Apply  SkipAPICall-S  1  to  E2,  let  4  =  Ectx2\T,  APIs(e)  \id 

(5)  ^ ctx2  \T,APIs(e)  ld-,£2  -4  Ectx2\  T,  void  \id -,£2 

By  Ei  ^2  -j-K,  9  ^1  Zctx  I  T,APIs(e)  |  id->  ^2  —  ctx2  I  r,  APIs(e)  \id, 

and  SkipAPICall-S  1  does  not  change  Ectx  and  Ectx2 

(6)  Ectx  |  r ,  void  4  —  £*ctx2  Q  B ,  void  1 7;f/  4 
By  assumption 

(7)  £i  4,K<  £ 2  4-k 

(8)  £[  iK=  £i  4-k<  £ 2  4-k 
sub-subcase  ii.  t~  %  n 

By  ExtCore2 

(1)  ExtCoreR  4-K=  •,  ExtCoreRctx\  B,  APIs(e)  jid  £  Ei  lK 
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By  E\  iK<  Ei  Ei  =  Ectx\  T,  APIs(e)  [ jd,  and  SkipAPICall-S  1  does  not  change  Ectx 

(2)  Ectx  I  F,  void  [  jd  4-k=  Ectx  [  F,  API s(e)  [id  4-K<  E2  \.K 
By  assumption 

(3)  E\  4-k<  in 

case:  SkipAPICall-S2,  SkipAPICall-A1,  SkipAPICall-A2,  the  proofs  are  similar  to  the  proofs  for  SkipAPICall- 

Sl. 

case:  FireAPICall-S1 


I  =  ctx0fld(rcte|r,AP/s(t7)  I  id,  id) 


the  last  argument  of  v  is  not  a  label 


r  C  labOf (APIs)  Sctxl  r,  APIs(v)  [id  Aap/,  E'-£' 


Ectx\  Y,APIs(v)  \id-,£ 


E'\£  ::  £' 


FireAPICall-SI 


By  assumptions 

Ei  =  Ectx\T,APIs(e)\id 

Ectx\T,APIs(e)  \id  A Apis  E[-£( 

Ectx\T,APIs(e)\td;£i  A  E[;£  1  ::  £[ 

By  Lemma  15,  E\  \,K<  E2  iK 
if  j3  =  t,  then 

either  E2  ~^apis  E’2\ £2,  E{  U<  E’2  U  and  £[  |K<  £'2  iK 
or  E[  lK<  E2  lK  and  £\  lK=  • 
if  /3  =  a,  a  lK=  ■,  then  E[  J,K<  E2  and  £[  • 

if  (3  =  a,  a  a 

V  a  A  Y'f .  cl 

^2  r  APIs  ^2’ 

E2-£2  ^  E'2,£2 

where  E[  J,K<  E’2  iK  and  £[  |K<  £’2  4_K. 


case:  FlREAPICALL-S2.The  proofs  are  similar  to  the  proofs  for  FireAPICall-S  1 . 
case:  FireAPICall-A-Core 


Ectx(id)  =  (’L,  Tabs,  ExtCoreRsctx(id),-  ■  •)  ExtCoreRCfX(id)  £  ExtCoreRsctx(id ) 

ExtCoreRCfX\  T,  APIa(v)  |jd  =  (id,  .  ,  EventHandlers ,  E) 

labOf  (API  a)  C  E*  when  v  =  ■  ■  ■ ,  Kt,l  =>•  Kt  callbackOf  (v)  =  x.cmd 

fresh(idch)  fresh(idh)  eh  =  (idh,  idcb,  x.cmd,  ■,  skip,  void,  nonblocking,  none) 

ExtCoreRCfX  (id)  =  ExtCoreRCfX(id)[EventHandlers  <=  EventHandlers  ::  eh] 

ExtCoreRsCfX  (id)  =  ExtCoreRsCfX(id)[ExtCoreRsCfX(id)  <=  ExtCoreRsCfX  (id)] 
ip  =  ayncAPIstate(E~ ,  idcb,  APIa(v )) 

E’ctx(id)  =  Ectx(id)[ExtCoreRsctx(id)  ^  ExtCoreRs'ct^id)]]^  ::ip] 

- - - FireAPICall-A-Core 

Ectx  I  r,  APIa(v)  [w;  £  -4  E'ctx\Y,  skip  \td-£ 

Let  E\  =  (’Ll,  Tabsi,  ExtCoreRsi  ::  ExtCoreR,  progInjCSs1,  Extsi,  Cookiesi,  MB ookmarksi,  histories  1,  UI 1) 
E2  =  (\I/2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  Exts2,  Cookies2,  MB ookmarks2,  histories 2,  UI2) 

By  assumptions 

El  =  Ectx\  r,  APIa(v)  [id 
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ExtCoreR  =  ExtCoreRctx\  r,  APIa(v)  \u  =  (id,  (|r[,  [,AP/a(i7)|,  EventHandlers) , £) 
or  (id,  ( [r | ,  cmd,  EventHandlers  ::  EventHandler  ctx\  API  a(v)\) ,  £) 
callbackOf  (v)  =  x.cmd,  fresh(idcb) 
eh  =  (idcb,  x.cmd,  ■,  skip,  void,  nonblocking,  none) 

ExtCoreRCfx  (id)  =  ExtCoreRctx(id)[EventHandlers  <4=  EventHandlers  ::  eh] 
ip  =  ayncAPIstate(l~ ,  idcb,  API a(v)) 

E'ctx(id)  =  Ectx(id)[ExtCoreRctx(id)  <4=  ExtCoreR'ctx(id)]['l!  -4=  ::  ip] 

e;  .'4,; i -.skip 

sub-subcase  i.  £  C  k 

By  ExtCoreI, 

ExtCoreRc tx\  T,  APIa(v)  \ld  lK=  (id,  (|r[, \APIa(v)l,  EventHandlers  \ ,K),t) 

or  ExtCoreRCfX\  F,  APIa(v)  \.K=  (id,  (|r|,  APIa(v),  EventHandlers  EventHandler CfX\cmd\  iK),£) 

By  definition 

(1)  ExtCoreRctx |  T,  APIa(v)  \id  ,|,ree  Ex  \.K 
By  Ei  Ei  \.K 

(2)  ExtCoreRctx I  T,  APIa(v)  \id  ExtCoreRs2  iK 

By  definitions  and  (2) 

(3)  exists  ExtCoreRctx2 1  F,  APIa(v)  \id  ExtCoreRs2 

s.t.  ExtCoreRctx I  r-  APIa(v)  jjid  ExtCoreRctx2\T,  APIa(v)  \ld  \.K 

(4)  ExtCorectx2\T,  APIa(v)  \id  =  (id,  (|F[,  \APIa(v)\,  EventHandlers2),£) 

or  (id,  (|r|,  cmd ,  EventHandlers2  ::  EventHandlerctx2\APIa(v)\),£ ) 

Apply  FireAPICall-A-Core  to  E2,  let  E2  =  Ectx2  \  T,  APIa(v)  \id 

(5)  Ectx2\T,APIa(v)\ld;£2  -^4  E'ctx2  [  F,  void  \ld;  £2 

(6)  Let  idcb2  =  idcb,  then  eh2  =  (idcb2,  x.cmd,  -,  skip,  void,  nonblocking,  none)  =  eh 

(7)  ExtCoreR'ctx2(id)  =  ExtCoreR ctx2(id)[EventHandlers2  <4=  EventHandlers2  ::  eh2] 

(8)  ExtCoreRs'ctx2(id)  =  ExtCoreRsctx2(id)[ExtCoreRctx2(id)  -4=  ExtCoreR' ctx2(id)\ 

(9)  ip2  =  ip  =  ayncAPIstate(£~ ,  idcb ,  APIa(v )) 

(10)  E'ctx2(id)  =  Ectx2(id)[ExtCoreRsctx2(id )  *4=  ExtCoreRs’c^^d)]^ 2  4=  ^2  ::  ip2] 

By  Ex  iK<  E2  U  Et  =  Ectx\ T,  APIa(v)  \id,  E2  =  Ectx2\T,  APIa(v)  \ld,  (3),  (6),  (7),  (8),  (9),  (10), 
ExtCoreI,  BrowserStateI,  EH,  and  the  new  states  are  not  related  to  blocking  states 

(H)  £'tJr,skiP»«t  Ik<  ^ctx2  1  4  skiP  \id  Ik 

By  assumption 

(12)  £1  PK<  £2  \.K 

sub-subcase  ii.  i~  %  n 

By  ExtCore2  and  BrowserState2 

(I)  ExtCoreR  \.K=  ExtCoreRctx\ 4  APIs(v)  \id  g  Ex  \.K 

(2)  ExtCoreR'  \ ,K=  •,  ExtCoreRctx' \  4  sk'P  lid  4-  E]  \.K 

(3)  ip  U=  ■ 

By  assumptions,  E1  |K<  X2  U  Ex  =  Ectx\ T,  APIa(v)  \id,  E[  =  E'ctx  [  T,  skip  \id,  and 
E'ctx(id)  =  Ectx(id)[ExtCoreRctx(ld )  *4=  ExtCoreR'ctx(id)\  [4/  *4=  (P  ::  ip] 

(4)  Ktxl  4  skiP  lid  4=  Ectx\V,APIa(v)  \id  4<  E2  lK 

By  assumption 

(5)  £\  4_k<  £2  4 

case:  FireAPICall-A-CS  and  FireAPICall-A-Page.  The  proofs  are  similar  to  the  proofs  for  FireAPICall- 
A-Core. 

case:  EventFireNonBL 
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e  is  a  blocking  event  E  =  (\&,  Tabs,  ExtCoreRs,  •  •  •)  ’I'  =  EL'  ::  ip  ip  ~b  e 

\/ ExtCoreR  £  ExtCoreRs,  EHs  =  getActiveHandlers{ExtCoreR,  e), 

\/eh  £  EHs,  Iab0f(e/i)~  =  labOf(e)  =>  is  Blocking  {eh)  =  false 
{ip' ,  e')  =  nextState{ip,\i oid)  E'  =  I7[EL  <^=  EL'  ::  ip'][ExtCoreRs  4=  ExtCoreRs  <q  e] 

E-,£  ::  e  -4  27'; £  ::  e! 


EventFireNonBL 


By  assumptions 

(Al)  E\  =  (fBi ,  Tabsi ,  ExtCoreRsi,  ■  ■  •),  ’Ll  =  At"  ::  ipi 
(A2)  fi  =  ::  ei,  ipi  ei 

(A3)  VExtCoreR  £  ExtCoreRsi,  EHs  =  getActiveHandlers{ExtCoreR ,  ei), 

Ve/i  £  LTf/s,  labOf(e/i)_  =  labOf(e)  =>  isBlocking{eh )  =  false 
(A4)  (^,  e()  =  nextState{ipi,  void) 

(A5)  =  27i[ELi  •<=  EL"  ::  4=  ExtCoreRsi  <q  ei] 

(A6)  £[=£"  v.e'i 

(A7)  E2  =  (EL2,  Tabs2,  ExtCoreRs2,  ■  •  •) 
sub-subcase  i.  lab  Of  {e  1)  C  n 

By  ipi  ~6  ei.  Lemma  1,  BrowserstateI 

(1)  lab  Of  ('0i )  =  labOf{e1)  C  «,  0i  4-«=  ipi 
By  £1  ).«<  £2  labOf{ei)  C  k,  eventI 

(2)  ei  !«=  ei,  3e2  £  £2,  s.t.  £2  =  £2  ■■  e2,  £”  iK<  £2  l*.,  Ik<  e2  that  is  e2  =  e\. 

By  ’Ll  4-k<c  ^2  4-k>  ei  is  a  blocking  event,  e2  =  e\ 

(3)  ’Ll  U<c,ei  ^2  lK 

(4)  ’Ll  4-«<  ^2  I* 

(5)  ’Ll  J.«=  0i  ::  ^11  ::  ^12  ”  EL13 

'Ll!  contains  states  of  the  form  ProcBlkEvtState(_  ,  _  ,  ei) 

'L 12  contains  states  of  the  form  DoneBlkEvtState(_  ,  _  ,  ei,  _  ) 

$ip  £  d/13,  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  ei),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  ei,  _ ) 

(6)  ^2  Pk=  "01  ::  iLn  ::  EL12  ::  ^23 

$ip  £  EL23,  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  62),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  e2,  _  ) 

By  EventFireNonBL  is  an  event  firing  rule.  Lemma  9 

(7)  ELn  =  •,  ELi2  =  • 

(8)  EL 13  <c  vt,23 

By  ipi  ~b  ei,  ipi  £  ^2  Ik,  ei  =  e2, 

(9)  ip\  £  EL 2,  and  ipi  ~b  e2,  ^2  =  EL 2  ::  ipi 
By  ExtCoreRsi  4.K<C  ExtCoreRs2  in, 

(10)  ExtCoreRsi  ).K<  ExtCoreRs2  | K 
ExtCoreRsi  4_K<c,ei  ExtCoreRs2  |K> 

ExtCoreRsi  fK=  ExtCoreRsbi  ExtCoreRsnbi, 

ExtCoreRs2  4_K=  ExtCoreR.Sb2  ■■  ExtCoreRsnb2 
ExtCoreRsbi  <B,e  1  ExtCoreRsb2 

every  core  in  ExtCoreRsbi  and  ExtCoreRsb2  contains  a  blocking  event  handler  for  ei, 
no  blocking  event  handlers  for  ei  in  ExtCoreRsnb\  and  ExtCoreRsnb2 

(11)  M  ExtCoreR  £  ExtCoreRsi  fK,3ExtCoreR'  £  ExtCoreRs2  4-K,  s.t.  ExtCoreR  )_K<  ExtCoreR '  J,K 
By  ExtCoreRsbi  <B,ei  ExtCoreRsb2 

(12)  There  are  matching  pairs  of  ExtCoreR  and  ExtCoreR' 

s.t.  ExtCoreR  £  ExtCoreRsbi,  ExtCoreR'  £  ExtCoreRsb2 
ExtCoreR  =  {idext,  ,  EventHandlersi  ::  ehi),£) 
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ExtCoreR'  =  ( idext ,  ,  EventHandlers2  ::  eh 2),Cj 

eh  1  =  (event.TypeOf  (e),  _  ,  eventQueue 1;  _  ,  _  ,  blocking,  _  ) 
e/12  =  (event.TypeOf  (e) ,  _  ,  eventQueue2 ,  _  ,  _  ,  blocking,  _  ) 

ExtCoreR  <  ExtCoreR1 
By  (A3),  (12),  ei  =  e2 

(13)  V ExtCoreR'  £  ExtCoreRs2 ,  -Kffs  =  getActiveHandlers(ExtCoreR' ,  e2), 

Ve/i  £  EHs,  labOf (eh)~  =  Iab0f(e2)  =>  isBlocking(eh)  =  false 
This  can  be  show  by  contradiction:  if  (1 1)  is  not  true,  then  (A3)  is  not  satisfied. 
By  (9),  (13),  apply  EventFireNonBL  to  E2 

(14)  (ip[,  e[)  =  nextState(ipi,  void) 

(15)  E2  =  E2 [$2  4=  $2  ::  4>[\[ExtCoreRs2  <=  ExtCoreRs2  <3q  e2] 

(16)  E2-£2^E!2-£'2,£'2=£'f::e( 

By  $13  <c  $23,  Lemma  10 

(17)  $13  ::  ^  <c  $23  ::  ft 

($"  ::  if()  $13  ::  ft  <c  ($"  ::  t/>')  +K=  $23  ::  ^ 

By  ExtCoreRs  1  ExtCoreRs2  J,K,  e\  =  e2.  Lemma  3 

(18)  (ExtCoreRsi  <3q  ei)  J,K<C  ( ExtCoreRs2  <3 q  e2) 

By  Ei  iK<  E2  U,  (15),  (17),  (18),  STATE 

(19)  E(  U<  E'  u 
By  (A6),  (2),  (15) 

(20)  £'  U<  £2  U 
sub-subcase  ii.  lab  Of  (e  1)  %  k 

By  Lemma  2 

(1)  ExtCoreRsi  <3 q  ei  fK=  ExtCoreRsi  ),K<C  ExtCoreRs2 
By  (A4),  Lemma  13 

(2)  ipi  fK=  •,  ip[  fK=  •,  e[  l=  ■ 

(3)  $i  +K=  $1  |K<C  $2  By  (1),  (3),  (A5) 

(4)  E[  E2 

(4)  £(  fK=  £1  ),K<  £2  f  K 

case:  EventFireBL  satisfies  Lemma  16. 


e  is  a  blocking  event  E  =  ($  ::  ip,  Tabs,  ExtCoreRs,  •  •  •) 

3ExtCoreR  £  ExtCoreRs,  EHs  =  getActiveHandlers(ExtCoreR,  e), 

3 eh  £  EHs,  isBlocking(eh)  =  true  A  labOf (eh)~  =  labOf(e) 

E’  =  ElExtCoreRs  <=  ExtCoreRs  On  el 

- - - EventFireBL 

E-£  ::  e  -4  E'-£ 

By  assumptions 

(Al)  Ei  =  ($!,  Tabsi,  ExtCoreRsi,  ■  •  •),  $1  =  $'/  ::  ipi 
(A2)  £1  =  £’{  ::  elt  ipi  ex 

(A3)  3ExtCoreR  £  ExtCoreRsi,  EHs  =  get ActiveHandlers (ExtCoreR,  ei), 

3  eh  £  EHs,  is  Blocking  (eh)  =  true 
(A4)  E'i  =  Ei[ExtCoreRsi  <=  ExtCoreRsi  <q  ei] 

(A5)  £[=£'{ 

(A6)  E2  =  ($2,  Tabs2,  ExtCoreRs2,  ■  ■  •) 
sub-subcase  i.  labOf  (ei)  C  k 
By  ipi  ~6  ei.  Lemma  1,  BrowserstateI 
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(1)  labOf  (ip  i)  =  lab  Of  (e  i)  E  «,  V’i  Ik=  i>i 
By  E\  |K<  £2  labOf  (ei)  E  K,  eventI 

(2)  ei  |K=  ei,  3e2  G  £2,  s.t.  £2  =  £'2  e2,  £"  Ik<  £'2  Ik,  ei  Ik<  e2  |K,  that  is  e2  =  e\. 

By  $1  |K<C  $2  Ik,  ei  is  a  blocking  event,  e2  =  ei 

(3)  $1  |K<c,ei  $2  |k 

(4)  $1  |k<  $2  Ik 

(5)  $1  |«=  V>1  "  $11  ::  $12  ::  $13 

tkn  contains  states  of  the  form  ProcBlkEvtState(_  ,  _  ,  ei) 
tki2  contains  states  of  the  form  DoneBlkEvtState(_  ,  _  ,  ei,  _  ) 

fip  G  \1/13,  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  ei),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  e\,  _  ) 

(6)  $2  |k=  ipi  $11  ::  $12  ::  $23 

$ip  G  $23,  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  e2),  or  ip  =  DoneBlkEvtState(_  ,  _  ,  e2,  _  ) 

By  ipi  ei,  ipi  G  $2  |„,  ei  =  e2, 

(7)  ipi  G  $2,  and  ipi  ~b  e2 

By  ExtCoreRsi  |K<C  ExtCoreRs2  |«, 

(8)  ExtCoreRs  1  |K<  ExtCoreRs2  |K 
ExtCoreRsi  |K<c,ei  ExtCoreRs2  |K, 

ExtCoreRsi  |K=  ExtCoreRsbi  ExtCoreRsnb\, 

ExtCoreRs2  |K=  ExtCoreRsb2  ::  ExtCoreRsnb2 
ExtCoreRsbi  <B,e  1  ExtCoreRsb2 

every  core  in  ExtCoreRsb\  and  ExtCoreRsi  contains  a  blocking  event  handler  for  ei, 
no  blocking  event  handlers  for  ei  in  ExtCoreRsnbi  and  ExtCoreRsnb2 

(9)  \  ExtCoreR  G  ExtCoreRsi  |K,  3 ExtCoreR'  G  ExtCoreRs2  |K,  s.t.  ExtCoreR  |K<  ExtCoreR'  |K 
By  labOf  (e  1)  E  k,  and  Veft  G  ExtCoreR,  labOf  (eh)  =  labOf  (ExtCoreR) 

(10)  WExtCore  G  ExtCoreRsi,  s.t.  EHs  =  getActiveHandlers(ExtCoreR,  ei), 

3e/i  G  EHs ,  isBlocking(eh)  =  true 

AlabOf(e/i)-  =  labOf(ei) 

labOf  (extC  or  eR)  E  k,  ExtCoreR  G  ExtCoreRsbi 

(11)  ExtCoreRsbi  7^  • 

By  ExtCoreRsbi  <B,e1  ExtCoreRsb2 

(12)  V ExtCoreR  G  ExtCoreRsb  1,  there  is  ExtCoreR'  G  ExtCoreRsi 
s.t.  ExtCoreR  =  ( idext ,  (_  ,  _  ,  EventHandlersi  ::  ehi),  _ ) 

ExtCoreR'  =  (idext,  (_  ,  _  ,  EventHandlers2  e/i2),  -  ) 
efti  =  (eventTypeOf  (e) ,  _  ,  eventQueuei ,  _  ,  _  ,  blocking,  _  ) 
eft2  =  (eventTypeOf  (e),  _  ,  eventQueue 2,  _ ,  _ ,  blocking,  _ ) 

ExtCoreR  <  ExtCoreR' 

By  (2),  (10),  (11),  (12),  ei  =  e2 

(13)  3 ExtCoreR'  G  ExtCoreRs2,  EHs  =  getActiveHandlers(ExtCoreR,  e2), 

3e/i  G  EHs,  isBlocking(eh)  =  trueAlabOf(e/i)_  =  labOf  (e2) 

By  (7),  (13),  apply  EventFireBL  to  272 

(14)  r2;f2^i:';f',£'=f" 

(15)  £”2  =  -£2 [ExtCoreRs 2  -t=  ExtCoreRs2  <Iq  e2] 

By  ExtCoreRsi  |K<c  ExtCoreRs2  |«,  ei  =  e2,  Lemma  3 

(16)  ( ExtCoreRsi  <q  ei)  |K<C  (ExtCoreRs^  <q  e2)  |K 
By  Ti  |k<  2C2  |K,  (16),  STATE 

(17)  |K<  r2  Ik 
By  (A5),  (2),  (14) 

(18)  |k<  ^  Ik 
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sub-subcase  ii.  lab  Of  (e  1)  %  k 
By  Lemma  2 

(1)  ExtCoreRsi  <q  e\  |K=  ExtCoreRs i  |K 
By  (A4),  (1) 

(2)  E[  |K=  E\  |K<  E2  in 
By  (A2),  (A5) 

(3)  £[  |K<  £\  |K<  £ 2  Ik 

case:  BlockFinishedI 

e  is  a  blocking  event  e  ip  E  =  ('L,  Tabs ,  ExtCoreRs,  •  •  •)  'll  =  ’Ll  ::  if  ::  \p2 
=  ProcBlkEvtState(_  ,  _  ,  e)  or  DoneBlkEvtState(-  •  • ,  e,  _  ) 

^2  contains  matching  pairs  of  ProcBlkEvtState(_  ,  idr,  e )  and  DoneBlkEvtState(_  ,  idr,  e,  0) 

VExtCoreR  £  ExtCoreRs,  EHs  =  getActiveHandlers(ExtCoreR ,  e), 

\/eh  £  EHs,  labOf  (eh)~  =  labOf  (e)  A  is  Blocking  (eh)  =  true,  e  ^  Qof(eh) 

(ip1,  £\)  =  nextState(4  noChange)  E'  =  X’f’L  4=  'Ll  ::  ip'] 

- - - - BlockFinishedI 

E;£  -A  E'-,£  ::  £x 


By  assumptions 

(Al)  E\  =  ('L1,  Tabsi,  ExtCoreRsi,  ■  •  •) 

(A2)  ::  ipi  ::  Af12 

ipi  ei,  ei  is  a  blocking  event 

flip  £  ikii,  s.t.ip  =  ProcBlkEvtState(_  ,  _  ,  e\)  or  DoneBlkEvtState(-  •  • ,  e,  _  ) 

$12  contains  matching  pairs  of  ProcBlkEvtState(_  ,  idr ,  ei)  and  DoneBlkEvtState(_  ,  idr,  e\,  0) 
labOf  (ipi)  =  lab  Of  (e  1) 

(A3)  Vip  £  ^12,  lab  Of  (ip)  =  labOf  (ei),  \Pi2  |«=  \Pi2 

(A4)  WExtCoreR  £  ExtCoreRsi,  EHs  =  getActiveHandlers(ExtCore,  ei), 

Ve/i  £  EHs,  isBlocking(eh)  =  true  A  labOf (eh)~  =  labOf(ei),  ei  ^  Qof(eh) 

(A5)  (ip'i,£")  =  nextState(i/>i,  noChange),  =  \Pn  ::  ip[ 

(A6)  4  =  Ei  ['P1  ^  *'] 

(A7)  £[=£i-.:  £’f 

(A8)  E2  =  (’L2,  Tabs2,  ExtCoreRs2,  ■  •  •) 

sub-subcase  i.  labOf  (e  1)  C  k 
By  Lemma  1 

(1)  labOf  (ipi)  =  labOf  (ei)  C  k,  ipi  4=  Vh 

By  fF  1  |K<c  'P2  Ik,  which  forces  the  projection  of  the  two  states  to  have  the  same  states  with  regard  to  ei 

(2)  3 1p2  £  ^2  Ik,  S.t.  Ipi  |K<  lp2  Ik,  that  is  Ipi  <  1p2,  1p2  =  Ipi- 

(3)  ip2  ei, 

(4)  tp2  =  (P21  ::  V*2  u  vPi2 

flip  £  d/21,  s-t.  ip  =  ProcBlkEvtState(_  ,  _  ,  62)  or  DoneBlkEvtState(_  ,  _  ,  62 ,  -  ) 

By  Lemma  9 

(5)  tPn  |k<c  'I7 21  Ik 

By  ExtCoreRsi  |K<C  ExtCoreRs2  Ik, 

(6)  ExtCoreRsi  |K<  ExtCoreRs2  |K 
ExtCoreRsi  |K<c,ei  ExtCoreRs 2  |K, 

ExtCoreRsi  |K=  ExtCoreRsbi  ■■  ExtCoreRsnbi, 

ExtCoreRs2  |K=  ExtCoreRsb2  ■■  ExtCoreRsnb2 
ExtCoreRsbi  <B,e  1  ExtCoreRsb2 
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every  core  in  ExtCoreRsbi  and  ExtCoreRsb2  contains  a  blocking  event  handler  for  e\, 
no  blocking  event  handlers  for  e\  in  ExtCoreRsnb\  and  ExtCoreRsnb2 

(7)  V ExtCoreR  £  ExtCoreRsi  |K,  3ExtCoreR'  £  ExtCoreRs2  |K,  s.t.  ExtCoreR  |K<  ExtCoreR'  |K 
By  labOf  (e i)  C  k,  and  Ve/r  £  ExtCoreR ,  labOf  (eh)  =  labOf  (ExtCoreR) 

(8)  WExtCore  £  ExtCoreRsi,  s.t.  EHs  =  getActiveHandlers(ExtCoreR ,  ei), 

3 eh  £  EHs,  isBlocking(eh)  =  true 

AlabOf(e/t)_  =  labOf(ei) 

labOf  (extC or eR)  C  k,  ExtCoreR  £  ExtCoreRsbi 

(9)  ExtCoreRsbi  7^  • 

By  ExtCoreRsbi  <B,e  1  ExtCoreRsb2 

(10)  There  are  matching  pairs  of  ExtCoreR  and  ExtCoreR' , 

s.t.  ExtCoreR  =  (idext,  (-  ,  -  ,  EventHandlersi  ::  ehi),  _ ) 

ExtCoreR'  =  ( idext ,  (_  ,  _  ,  EventHandlers2  ■■  e/12),  -  ) 
eh  1  =  (eventTypeOf  (e\) ,  _  ,  eventQueue1 ,  _  ,  _  ,  blocking,  _  ) 
e/12  =  (eventTypeOf  (ei) ,  _  ,  eventQueue2,  -  ,  -  ,  blocking,  „ ) 
if  ei  2  eventQueue1,  e\  2  eventQueue2 
ExtCoreR  <  ExtCoreR' 

By  (A4),  (8),  (9),  (10),  e,  =  e2 

(11)  \/ExtCore '  £  ExtCoreRs2,  EHs  =  getActiveHandlers(ExtCore' ,  62), 

Ve/i  £  77-ffs,  isBlocking(eh)  =  true  A  labOf  (eh)~  =  labOf  (e2),  e2  ^  Qof(eh) 

By  (4)  (A2)  and  (11),  we  can  apply  BlockedFinishedI  to  Z2 

(12)  r2;£2^^;£2::£'' 

(13)  ('02 , £2  )  =  nextState(02,  noChange),  10  =  d/21  "  02 

(14)  02  =  0i,  £0  =  £'{,  labOf  (ip'2)  =  labOf  (ip[)  =  labOf  (6%)  =  labOf  (£'{)  =  labOf  (e  1) 
note  that  we  write  labOf  (£)  to  denote  the  uniform  label  of  all  events  in  £ 

(15)  r'  =  2^*2  <*=  *'2] 

By  (5),  (13),  (14),  Lemma  10 

(16)  10  |K<C  10  Ik 

By  assumption,  (14),  (15),  (16)  and  STATE 

(17)  Z[iK<Z'2lK 

By  (A7),  |K<  £2  4-k 

(18)  £'{  =  £f,  £'2  =  £2  ::  e-0  £'  |„<  £'  |K 
sub-subcase  ii.  lab  Of  (e  1)  (2  k 

By  Lemma  1,13 

(1)  labOf  (ip  1)  =  labOf  M/,)  =  labOf  (eA 

(2)  V0  £  $12,  labOf  (ip)  =  labOf  (e  1) 

(3)  labOf  (ei)  =  labOf  (ex) 

(4)  0i  |«=  •,  £"  Ik=  •,  0i  Ik=  •,  ^12  Ik=  • 

(5)  10  |K=  $i  |K 

(6)  27{  |k  =  £/i  |K<  272  Ik 

(7)  £(  |re  =  £1  |K<  £2  |K 

case:  BlockFinished2 
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e  is  a  blocking  event  S  =  ('L,  Tabs,  ExtCoreRs ,  ■  ■  ■)  *  =  ’Ll  ::  ip  ::  *2 

$ip  £  'Ll,  s.t. ip  =  ProcBlkEvtState(_  ,  _  ,  e)  or  DoneBlkEvtState(-  •  • ,  e,  _ ) 

*2  contains  matching  pairs  of  ProcBlkEvtState(_  ,  idi,  e )  and  DoneBlkEvtState(_  ,  idi,  e,  cf) 

WExtCoreR  £  ExtCoreRs,  EHs  =  getActiveHandlers(ExtCoreR,  e), 

Ve/t  £  EHs,  labOf(eh)~  =  labOf(e)  A  is  Blocking  (eh)  =  true,  e  ^  Qof(eh) 
getLastInstalledReturn(^> 2)  =  (k,  idj,Cj)  s.t.  Cj  7^  0 
(ip',£i)  =  nextStatef^k  Blocked(c7))  S'  =  ZI’L  <=  ’Ll  ::  ip'] 

- - - BlockFinished2 

E;£  -4  E';£  ::  £x 

By  assumptions  and  Lemma  1 

(Al)  Ei  =  (’Ll,  Tabsi,  ExtCoreRsi,  ■  ■  ■),  ’Lx  =  t&n  ::  ipi  ::  ’f'12 
(A2)  ipi  ei,  e\  is  a  blocking  event,  labOf(ip\)  =  labOf(ei) 

$ip  £  *n,  s.t  .ip  =  ProcBlkEvtState(_  ,  _  ,  ei)  or  DoneBlkEvtState(_  ,  _  ,  ei,  _  ) 
tp  12  contains  matching  pairs  of  ProcBlkEvtState(_  ,  idj,  e±)  and  DoneBlkEvtState(_  ,  idj,  ei,  Cj ) 
(A3)  labOf(ipi)  =  labOf(ei) 

(A4)  WExtCoreR  £  ExtCoreRsi,  EHs  =  getActiveHandlers(ExtCoreR ,  e±), 

Meh  £  EHs ,  labOf(eh)~  =  labOf(ei)  A  isBlocking(eh)  =  true,  ei  4  Qof(eh) 

(A5)  \/ip  £  *i2,  lab  Of  (ip)  =  labOf(ei) 

(A6)  getLastInstalledReturn(^>  12)  =  (idj  1,  Cji)  s.t.  Cj\  7^  0 
(A7)  (ipi,£")  =  nextState(,!/’i,  Blocked(cj)) 

(A8)  =  *u  ::  ip\ 

(A9)  E[  =  £i[*i  4=  *i] 

(A10)  £(  =  £1  ::  £'{ 

(All)  E‘2  =  (*2,  Tabs2,  ExtCoreRs2,  •  •  ■) 
sub-subcase  i.  lab  Of  (e  1)  C  k 
By  Lemma  1 

(1)  labOf(ipi)  =  labOf(ei)  C  k 

Vip  £  *12,  labOf(ip)  =  labOf(ei)  C  k 

ipi  4=  (/'ll  ^12  4=  ^12 
By*i4<c  *2  4,(1) 

(2)  3ip2  £  *2  4,  s.t.  Ipi  |«<  Ip2  4,  that  is  Ipi  <  1p2,  1p2  =  ipi- 

(3)  ip2  e2,  ei  =  e2,  e2  is  a  blocking  event 

(4)  *2  =  4/ 21  ”  1P2  *12 

$ip  £  (I/21.  s.t.  ip  =  ProcBlkEvtState(_  ,  _  ,  62)  or  DoneBlkEvtState(_  ,  _  ,  62,  -  ) 

By  Lemma  9 

(5)  *11  |k<c  4/21  |k 

(6)  'L22  =  (K 12, 

getLastInstalledReturn(^>22)  =  (idj2,Cj2)  s.t.  Cj2  7^  0 

Cf2  =  Cji 

By  ExtCoreRsi  44  ExtCoreRs2  4, 

(7)  ExtCoreRsi  Ik<  ExtCoreRs2  4 
ExtCoreRsi  44, ei  ExtCoreRs2  4, 

ExtCoreRsi  |K=  ExtCoreRsb  1  ExtCoreRsnbi- 
ExtCoreRs2  4=  ExtCoreRsb 2  ::  ExtCoreRsnb2 
ExtCoreRsbi  <B,ei  ExtCoreRsb2 

every  core  in  ExtCoreRsbi  and  ExtCoreRsb2  contains  a  blocking  event  handler  for  ei, 
no  blocking  event  handlers  for  ei  in  ExtCoreRsnbi  and  ExtCoreRsnb2 
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(8)  \l  ExtCoreR  G  ExtCoreRsi  J,K,  3 ExtCoreR'  €  ExtCoreRs 2  J,K,  s.t.  ExtCoreR  |K<  ExtCoreR'  \.K 
By  labOf  (e  1)  Q  K,  and  \/eh  £  ExtCoreR ,  labOf  (eh)  =  lab  Of  (ExtCoreR) 

(9)  WExtCore  £  ExtCoreRsi,  s.t.  EHs  =  getActiveHandlers(ExtCoreR ,  ei), 

3 eft  £  EHs ,  isBlocking(eh)  =  true 

AlabOf(eft)-  =  labOf(ei) 

labOf  (extCoreR)  C  re,  ExtCoreR  £  ExtCoreRsbi 

(10)  ExtCoreRsbi  7^  • 

By  ExtCoreRsbi  <B,e  1  ExtCoreRs 1,2 

(11)  There  are  matching  pairs  of  ExtCoreR  and  ExtCoreR' , 

s.t.  ExtCoreR  =  (idext,  (_  ,  _  ,  EventHandlersi  ::  efti),  _ ) 

ExtCoreR1  =  (idext,  (_  ,  _  ,  EventHandlers2  eh2),  -  ) 
efti  =  (eventTypeOf  (e  1),  _  ,  eventQueue1,  _  ,  _  ,  blocking,  _  ) 
e/i2  =  (eventTypeOf  (ei) ,  _  ,  eventQueue2 ,  _  ,  _  ,  blocking,  _  ) 
if  ei  ^  eventQueue1,  e±  £  eventQueue2 
ExtCoreR  <  ExtCoreR ' 

By  (A4),  (9),  (10),  (11),  ei  =  e2 

(12)  MExtCore'  £  ExtCoreRs2,  EHs  =  getActiveHandlers(ExtCore' ,  62), 

Veft  G  £f7s,  isBlocking(eh)  =  true  A  labOf  (eh)~  =  labOf  (e2),  e2  ^  Qof(eh) 

By  (A2),  (4),  (12),  apply  BlockedFinished2  to  272 

(13)  (if  2,  £2)  =  nextState('(/>2,  Blocked(cj2)) 

(14)  if'2=ff'l,£!f=£'f 

(15)  *'2  =  *21  "  1^2 

(16)  27'  =  e2[^2  *=  ^2] 

(17)  272;&-4iM 

(18)  £'2  =  £ 2  :: 

By  (5),  (14),  Lemma  10 

(19)  *i  4.«<c  *2  4* 

By  assumption,  (A9),  (16),  (19)  and  STATE 

(20) 

By  £1  <  £2,  (A10),  (18),  (22) 

(21)  £[iK<£'2iK 
sub-subcase  ii.  lab  Of  (e  1)  %  k 

By  Lemma  1,13 

(1)  labOf  (if  1)  =  labOf  (if[)  =  labOf  (eA 

(2)  \/if  £  *i2,  labOf  (if)  =  labOf  (e  1) 

(3)  labOf  (ej)  =  lab  Of  (e  1) 

(4)  V’r  4-k=  •,  £"  4-«=  •,  if'i  4-k=  •,  ^12  4-«=  • 

(5)  U=  *1 

(6)  4_k=  i7i  £2  4-k 

(7)  £[  4_k=  fi  )_K<  £2  Ik 

case:  EventDequeueCSI 
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Sctx{id)  =  (’£,  Tabsctx(id),-  ■  •)  tctx(id)  G  Tabsctx(id ) 
tctx(id)  =  (■••,  Doesctx(id),  ■  ■  ■)  Docctx(id)  G  Docsctx(id) 

Docctx(id)  =  (•••,  DocCSsctx(id ),  •  •  •)  DocCSctx(id)  G  DocCSsaxiid) 

DocCS ctx(id)  =  (_  ,  id,  _  ,  [  |,  EventHandlers  ::  ehCfX,  t) 

ehctx  =  (•,  eventType,  x.cmd,  e  ::  £\,  [[,  ide,  BlockingFlag,  return) 

labOf(e)  [2  i*  eh'ctx—  (■,  event  Type,  x.cmd,  £i,H,  id  e,  BlockingFlag,  return) 

DocCS'ctx(id)  =  DocCS ctx(id)[ehctx  <=  eh!ctx ] 

DocCSs'CfX(id)  =  DocCSsctx{id)[DocCS ctx{id)  <=  DocCS'CfX(id )] 

Docctx(id)  =  Docc/x(id)[I)ocC»S’sc/x(zd)  4=  DocC'S'scfX(*(i)] 
t'CtX  (id)  =  tctx(id)[Docctx(id)  <=  Doc'ctx(id)) 

Ktx(id)  =  Ectx(id)[tctx(id)  4=  ^(zd)] _ 

£cte[r,skip[]id;£  -4  r'telr,skip[id;f 


EventDequeueCS 1 


Let  E\  =  (\& i ,  Tabsi,  ExtCoreRsi,  progInjCSs1,  Exts\,  Cookiesi,  MB ookmarksi,  histories i,  UI i) 

Ei  =  (1QE,2 ,  Tabs2,ExtCoreRs2,progInjCSs2,ExtS2 ,  Cookies2,  MB ookmarks 2,  histories 2,  OT2) 

By  assumptions 
(Al)  £1  =  i7cte[r,  skip  [id 
(A2)  Tabs  1  =  Tabs"  ::  Tabi 

(A3)  Tabi  =  TabCfX\  T,  skip  |jd  =  (TablDi,  Docs  ::  DocCfX\T,sW\p\id,urli,EventHandlersi,li) 
(A4)  Docctx  |  T,skip  \id  =  ( idd ,  url,  nodes,  DocCSs  ::  DocCSctx\  E,skip  |  idJd) 

(A5)  DocCSCfX\  r,  skip  | ^  =  ( idext ,  id,  idt,  [T| ,  cmd,  EventHandlers  ::  ehctx\s\(\p\,  t) 

(A6)  ehctx  =  (•,  eventType,  x.cmd,  e\  ::  £”,  |[,  ide,  BlockingFlag ,  return) 

(A7)  eh'cix  =  (•,  eventType,  x.cmd,  £",  [|,  ide,  BlockingFlag,  return) 

(A8)  DocCS'ctx(id)  =  DocCS ctx(id)[ehlctx  <=  ehictx\ 

(A9)  Docrtx(id)  =  Docctx (id) [DocCS ctx(id)  •£=  DocCS'ctx(id)\ 

(A10)  Tabi'ctx(id)  =  Tabictx(id)[Docctx(id)  <=  Doc'ctx(id)\ 

(All)  Tabs\rfX(id)  =  Tabs\ctx(id)\Tabictx(id)  <=  Tabirfx(id)] 

(A12)  E[  =  E'ctx(id)  =  Ectx(id)(Tabslctx(id)  <=  Tabsi'ctx(id )] 

(A13)  labOf(ei)  %  C 
(A14)  £[=£i 

sub-subcase  i.  f  C  k  and  lab  Of  (e  1)  C  k 
By  DS1,  EH,  EVENT  1 

(1)  DocCSctx\  T,  skip  \id  iK=  (id ext,  id,  idt,  [L],  cmd,  EventHandlers  fK::  e/tcZx[skip[  \.K,l) 

(2)  e/iCfX[skip|  J,K=  (•,  eventType,  x.cmd,  e\  ::  £"  [ ski p| ,  ide,  BlockingFlag,  return) 

By  definition 

(3)  DocCSctx\  T,  skip  jid  J,kG  Tabi  iK 
By  Ei  ),K<  E2  \.k 

(4)  Tabs2  =  Tabs'2  ::  Ta&2  and  Tabsf  -j.K<  Tabs'f  and  Tabi  Tab 2 

By  definitions  and  (4) 

(5)  exists  DocCSs2  =  DocCSs'2  DocCS2 ,  DocCSs2  G  D0C2,  Doc2  G  Docs2,  Docs2  G  Tab2 
s.t.  DocCS ctx |  T,skip  | id  fK<  DocCS 2  iK 

(DocCSctx\  E,  skip  \id  ::  DocCSs)  J,K<  DocCSs2 
Docctx  1  r,  skip  1^  fK<  Doc2  iK 
(Docctx:  1  T,skip  |id  ::  Docs)  fK<  Docs2  lK 
By  (5),  DocCS 

(6)  D0CCS2  \-K=  (idext,  id,  idt,  \Tl,  cmd,  EventHandlers2  in'.',  e/12  \-kA) 

where  EventHandlers  ),«<  EventHandlerS2  e^ictxlskip[]  eh 2  4-k 
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By  (6) 

(7)  eli2  =  (•,  eventType,  x.cmd ,  e2  ::  £%,  [skip],  ide ,  BlockingFlag ,  return ) 
where  ei  <  e2,  namely  ei  =  e2  and  £"  J,K<  £." 

(8)  eft2  =  eti2ctx2 1  skip  [ 

(9)  =  DocCS2ctx2 1  r,  skip  \td 
DocCSs2  =  DocCSs2ctx2  \  r,  skip  |id 
Tab2  =  Tab2ctx2\  r, skip  |id 

Tabs2  =  Tabs2ctx2\  T,skip  |id 
^2  =  -S’actes  1  r,  skip 
Apply  EventDequeueCSI  to  E2 

(11)  eh,2ctX2  =  [■,  eventType,  x.cmd,  £2  ,\sk\p\,  id e,  BlockingFlag,  return) 

(12)  ehictx\  skip  [  |K<  eh2'ctx2 1  skip  |  lK 

(13)  DocCS  2'ctx2[id )  =  DocCS2ctx2(id)[eh2ctx2  <=  eh2'ctx2] 

(14)  Doc2ctx2{id)  =  Doc2ctX2{id)[DocCSs2ctx2{.id)  4=  DocCSs2ctx2(id)\ 

(15)  Tab2'ctx2(id)  =  Tab2ctx2{id)[Doc2ctx2{id)  <*=  Doc2'ctx2(id)\ 

(16)  Tabs2'ctx2(id)  =  Tabs2ctx2{id)[Tab2ctx2{id)  4=  Tab2ctx2{id)\ 

(17)  £'ctx2(id)  =  Sctx2(id)[Tabs2ctx2(id)  ra6s2/cte2(id)] 

(18)  rcte2I  T,skip  Jjd;f2  1  r,  skip  |i(i;  £2,  =  £2 

By  (4),  (5),  (12),  (13),  (14),  (15),  (16),  and  Lemma  6 

(19)  DocCS'ctx[id)  iK<  DocCS 2'ctx2[id)  iK 

(20)  DocCSs  DocCS' ctx[id )  J,K<  DocCSs2ctx2[id)  iK 

(21)  Doc'ctx(id)  U<  Doc2ctx2(id ) 

(22)  Tablctx(idy  lK<  Tab2 

ctx2 

(23)  Tabsictx(idy  lK<  Tabs2'ctx2[id)  \.K 

By  assumption,  Ex  |K<  E2  iK,  E1  =  Ectx\ T,skip  jid,  E2  =  Ectx2\ L,  skip  \id,  (15),  (21),  STATE 

(24)  -S’ctcJ  L,  skip  iK<  27'te2ir,skip|id  u 
By  assumption  and  (16) 

(25)  £[  U=  £1  U<  £'2  U=  £2  i. 
sub-subcase  ii.  t~  C  n  and  labOf[e  1)  %  k 

By  DS1,  EH,  EVENT2 

(1)  DocCS ctx [  T,  skip  |id  lK=  [id ext,  id,  idt ,  [E| ,  cmd,  EventHandlers  e/ictY|skip|  4 ,K,l) 

(2)  e/iCfX[skip|  J,K=  (■,  eventType,  x. cmd,  £'{  [skip],  ide,  BlockingFlag,  return) 

(3)  e/ic?x[skip[  J,K=  (■,  eventType,  x.cmd,  £"  4,K,|skip|,  ide,  BlockingFlag,  return) 

(4)  e^cfttIskiPl  4-«=  ehctx [skip]  U 

By  (4),  (A8),  (A9),  (A10),  (All),  (A12),  Lemma  6  and  STATE 

(5)  DocCS'ctx(id)  lK<  DocCSctx(id)  \.K 

(6)  DocCSs'ctx[id)  ,J,K<  DocCSsctx[id) 

(7)  Doc'ctx[id)  lK<  Docctx[id) 

(8)  Tab\ctx[id)  iK<  Tablctx[id )  4-* 

(9)  Tabsi'ctx[id)  iK<  Tabslctx[id) 

do)  e[  ;K<  a  iK 
By  (10),  E\  4-«<  E2  J-k, 

(11)  e'i  yK<  Ei  yK<  e2  u 

By  (A14),  £1  ;K<  £2  iK 

(12)  £[  iK=  £1  iK<  £2  iK 

sub-subcase  iii.  i~ 

By  DS2 

(1)  DocCSctx\  T,  skip  1^  i  Ei  iK 
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By  Si  iK<  E2  iK,  El  =  Ectx\  T,skip  [id,  and  EventDequeueCSI  does  not  change  Ectx  \  T,  skip  [id 
except  DocCSctx ]  T,  skip  lid)  DocCS'ctx [  E,  skip  |id  £  E[  iK 

(2)  E'ctx\ r,  skip \id  lK=  Ectx\  r,skip  \id  ±K<  E2  U 

By  assumption 

(3)  £[  =  £i,  £[  U<  £2  U 

case:  EventDequeueCS2 


Ectx(id)  =  (^,  Tabsctx(id),-  ■  •)  tctx(id )  G  Tabsctx(id) 

tctx(id)  =  (•  •  • ,  Docsctx(id),  •  •  •)  Docctx(id)  G  Docsctx(id) 

Docctx(id)  =  (•••,  DocCSsctx(id),  ■  ■  •)  DocCSctx(id)  G  DocCSsctx(id) 
DocCS CfX{id)  =  (_  ,  id,  _  ,  [  |,  _  ,  EventHandlers  ::  ehCfX,  (■) 
ehctx  =  (•,  eventType,  x.cmd,  e  ::  £\,  ||,  BlockingFlag,  return ') 

e  =  (ide,  eventType,  return,  ■  ■  ■ ,  Ke)  Ke  C  £* 

=  ne  >tnt  ^  eh  =  (•,  eventType, x.cmd,  £1,  [[,  id e,  BlockingFlag,  return) 
DocCS'ctx(id)  =  DocCSctx(id)[ehctx  <=  eh'ctx][£  4=  ('} 

DocCSs'ctx{id)  =  DocCSsctx{id)[DocCS Cfx(id)  <=  DocCS'ctx(id )] 

Docctx{id )  =  E>occZx(id)[DocC'5c?x(td)  4=  E>ocC5cfx(id)] 

(«0  =  tctx{id)[Docctx(id)  4=  Doc'ctx(id )] 
sctx(id)  =  Ectx(id)[tctx(id)  <=  t'ctx(id)} _ 

rctelr,skipltd;f  updL^’e'~)  E'ctx\v,cmd[e/x\  \id-,£ 


EventDequeueCS2 


Let  Ei  =  (d>i,  Tabs  1,  ExtCoreRsi,  progInjCSs1,  Exts\,  Cookiesi,  MBookmarksi,  historiesi,  UI\) 

E2  =  (’J,2,  Tabs2,ExtCoreRs2,progInjCSs2,Exts2,  Cookies2,  MB ookmarks2,  histories 2,  UI2 ) 

By  assumptions 

(Al)  Ei  =  Ectx\ E,  skip  [id,  Tabsi  =  Tabs "  ::  Tabi 

(A2)  Tab  1  =  Th&c/xl  E,  skip  |jd  =  {TablDi,  Docs  ::  Docctx\  E,  skip  [jd,  url\,  EventHandlersi,  i\) 
(A3)  Docctx |  T,  skip  fid  =  (id d,url,  nodes,  DocCSs  ::  DocCSctx\  E,  skip  |id,  4) 

(A4)  Z?ocCS,CfX[  r,  skip  |id  =  ( irfexti  |E|,  cmd,  EJueniJyanrf/ers  ::  e/iCfY|skip|,  £) 

(A5)  ei  =  (zdg,  eventType,  return',  •  ■  ■  ,ne) 

(A6)  e/iCfX[skip|  =  (•,  eventType,  x.cmd,  e\  ::  £",  [skip] ,  ide,  BlockingFlag,  return) 

(A7)  =ne>tnti 

(A8)  eh'cix  =  (•,  eventType,  x.cmd,  £" ,  |crod[e/a;]|)  ide' ,  BlockingFlag,  return ') 

(A9)  DocCS'CfX(id )  =  DocCS ctx(id)[ehctx  <=  eh'Cfx\[£  <=  £\ 

(A10)  Doc'CfX(id )  =  Docctx(id)[DocCS ctx(id)  <=  DocCS'ctx(id)\ 

(All)  Tabictx(id)  =  Tablctx(id)[Docctx(id )  <s=  Doc'ctx(id)] 

(A12)  Tabs\rfX(id )  =  Tabs ictx(id)\ Tab ictx(id)  <=  Tabirtx(id)] 

(A13)  E'i  =  E'ctx(id)  =  Ectx(id)[Tabslctx(id)  <=  Tabsi'ctx(id )\ 

(A14)  £(  =  £1 

sub-subcase  i.  C  k,  kc  C  k,  updLab(e,t'~)  \.K=  updLab(e,t'~ ) 

By  DS1, 

(1)  £>ocC'S'c/x|  E,  skip  lid  4-k=  (zrfest)  id,  idt,  |r|,  cmd,  EventHandlers  ehctx |skip|4_K,£) 

By  definition 

(2)  DocCSctx  1  r,  skip  [jd  4-kG  Ta6i 
By  Ei  ),K<  £2 

(3)  Tabs2  =  Tabs'2  Tab2  and  Ta&s”  \.K<  Tabs'2  iK  and  Tabi  ).K<  Tab2  lK 

By  definitions  and  (3) 

(4)  exists  DocCS2  G  DocCSs2,  DocCSs2  G  Doc2,  Doc2  G  Docs2,  Docs2  G  Tab2 
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s.t.  DocCSctx\  r ,  skip  \id  lK<  DocCS2  4-k 

(DocCSctx ;I  r,skip  jid  ::  DocCSs )  4-k<  DocCSs2  4-k 
Docctx I  T,  skip  jid  lK<  Doc2  U 
{Docctxi  T,skip  | id  ::  Docs)  4_K<  Docs2  4_K 
By  (4),  DocCS 

(5)  DocCS 2  =  {idext,id,idt,\T\,  cmd,  EventHandlers2  ::  eh2,i) 
where  EventHandlers  EventHandlers 2  4-K,  eh  eh2  4-K 

By(5) 

(6)  eh2  =  (■,  event  Type,  x.cmd,  e2  ::  £2,  |skipj,  id  e,  Blocking  Flag,  return) 
where  e\  <  e2,  namely  e\  =  e2  and  £'{  |K<  £!{  4-k- 

(7)  eh2  =  eh2ctx2\sk\pl 

(8)  DocCS2  =  DocCS2ctx2\T,sk\p\id 
DocCSs2  =  DocCSs2ctx2\  r,  skip  \ld 
Tab2  =  Tab2ctx2\ F,  skip \id 

Tabs2  =  Tabs2ctx2\T,  skip  lid 
Sj2  E2  ctx2  |  r,  skip  I  id 
By  assumption  and  (6) 

(9)  labOf(e2)  =  labOf(e i),  labOf(e2)  E  n  and  labOf(e2)  E  £* 

Apply  EventDequeueCS2  to  E2 

(10)  eh2'ctx2\cmd\e/ x\\  =  {■, eventType,x. cmd, £2, \cmd[e/x\\, ide'  ,BlockingFlag, return') 

(11)  eh'ctx I  cmd[e/x\  |  |K<  eh2ctx2  [  cmd[e/x\  | 

(12)  DocCS 2'ctx2(id)  =  DocCS 2ctx2(id)[eh2ctx2  eh2'ctx2\[£  <=  £!) 

£'~  E  n 

(13)  Doc2ctx2(id)  =  Doc2ctx2{id)[DocCSs2ctx2(id)  <=  DocCSs2'ctx2{id )] 

(14)  Tab2ctx2{id)  =  Tab2ctx2(id){Doc2ctx2(id)  <t=  Doc2ctx2(id)\ 

(15)  Tabs2'ctx2(id)  =  Tabs2ctx2(id)[Tab2ctx2(id)  <=  Tab2ctx2(id)\ 

(16)  E'ctx2(id)  =  Ectx2(id)[Tabs2ctx2(id)  <*=  Tabs2'ctxZ (id)} 

(17)  Ectx2\T,sk\pld-£2  uPdLa^’e'^  T, skip  | td-£2.£'2  =  £2 

By  (4),  (11),  (12),  (13),  (14),  (15)  and  Lemma  6 

(18)  DocCS'ctx{id)  lK<  DocCS 2'ctx2 (id)  4-k 

(19)  DocCSs  ).K::  DocCS'ctx(id)  4-k<  DocCSs2ctx2{id)  4-k 

(20)  Docctx(id)  Doc2ctx2(id)  4-k 

(21)  Tablctx(idy  iK<  Tab2  ctx2  i'id)  4-k 

(22)  Tabslctx(id)'  |K<  Tabs2’ctx2{id)  \.K 

By  assumption,  Ex  lK<  E2  Ex  =  Ectx\ T,skip  Jid,  272  =  Ectx2\T,  skip \id,  (15),  (21),  STATE 

(23)  E’ctx\ T,  cmd[e/x\  \id  U<  E’ctx2\T,  cmd[e/x\  \id  iK 
By  assumption  and  (17) 

(24)  £'i  4-k=  £\  £2  4-k=  £2  4-k 

sub-subcase  ii.  £~  E  k,  ne  E  n,  updLab{e,£'~)  4-«=  ■ 

By  DS1 

(1)  DocCS ctx\  r,  skip  [id  \.K=  ( idext ,  id,  idt,  |r|,  cmd,  EventHandlers  4-«::  ehctx |skip[  4 ,K,t) 
By  (A7) 

(2)  £'  E  updLab(e,£'  )  4-k=  • 

By  DS2 

(3)  DocCSctx I  T,  skip  |id  4_k=  • 

By  (A10),  (All),  (A  12),  (A13)  Lemma  6  and  STATE 

(4)  ( DocCSs  ::  DocCSs'ctx{id))  4-K<  ( DocCSs  ::  DocCSsctx(id))  4-k 

(5)  Doc'ctx{id)  4-K<  Docctx(id)  U 
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(6)  Tabi'ctx(id)  |«<  Tablctx(id )  |« 

(7)  Tabs\ctx(id)  |K<  TabsXctx{id)  |K 

(9)  E[  |K<  Ei  |K<  E2  |K 

By  (A14) 

(10)  £[  |K=  £ 1  |K<  £2  Ik 

sub-subcase  iii.  i~  k,  updLab{e,i'~ )  |K=  • 

By  DS2 

(1)  DocCSctxlT,sk\plid  Ex  |K 

By  Ex  |K<  E2  |k,  Ei  =  Ectx |  T,  skip  | id,  and  applying  EventDequeueCS2  only  changes  DocCS,  DocCS  |K=  • 

(2)  E'ctjT,  cmd[e/x\  \id  |re=  Ectx\  T, skip  [id  |K<  E2  |« 

By  assumption 

(3)  £[  =  £1,  £[U<  £2  |K 

case:  The  proofs  for  EventDequeueCoreI  are  similar  to  the  proofs  for  EventDequeueCS  1. 
case:  The  proofs  for  EventDequeueCore2,  are  similar  to  the  proofs  for  EventDequeueCS 2. 


£ctx(id)  =  ('f,  Tabsctx{id),  ■  ■  •)  tctx{id)  £  Tabsctx(id) 
tctxiid)  =  {idti  Docsenv(id),url,  EventHandlers  ::  ehctx{id),  _) 
ehctx{id)  =  ( id ,  eventType,  x.cmd ,  e  ::  £1,  [ [,  ide,  Blocking  Flag,  return) 

Docenv(id)  £  Docsenv{id)  Docenv{id)  =  (•••,  nodes env {id),  -  •  •) 
nodeenv{id)  £  nodesenv{id)  nodeenv{id)  =  {id,  |,  £)  labOf{e)  %t* 

t'ctx (id)  =  tctxiid^ehctxjid)  <=  eh’ctx{id)\  S'ctx{id)  =  Ectx{id)[tctx{id)  <=  t'ctx{id )] 
£ctx  \  r,  skip  \id-,£  -4  E'ctx I  r,skip \id-,£ 


E ventDequeuePage  1 


case:  EventDequeuePageI  satisfies  Lemma  16. 


Let  Ei  =  (U/i,  Tabsi,  ExtCoreRsi, proglnjCSsi,  Extsi,  Cookiesi,  MB ookmarksi,  histories  1,  UIi) 
E 2  =  (H/2,  Tabs2,ExtCoreRs2,progInjCSs2,Exts2,  C ookies 2,  M Bookmarks 2,  histories 2,  UI2) 


By  assumptions 

(Al)  Ei  =  Ectx\ T,  skip  lid,  Tabsi  =  Tabs "  ::  Tabi 
(A2)  Tabi  =  Tabctx\T,  skip  \id 

=  {idt,Docsi  ::  Docenv{id),urli,  EventHandlersctx{id),£i) 

(A3)  EventHandlercjx{id)  £  EventHandlers ctx{id) 

EventHandlercjx{id)  =  {id,  eventType,  x.cmd,  ex  ::  £'{,  Q  Q ,  ide,  BlockingFlag ,  return) 
(A4)  Docenv{id)  =  (••■,  nodes env{id ),  ■  •  •) 

(A5)  nodeenv{id)  £  nodesenv{id) 

(A6)  nodeenv{id)  =  {id,  [T|,  £) 

(A7)  lab  Of  {e  1)  %  t* 

(A8)  eh'ctx{id)  =  ehctx{id)[ex  ::  £'{  <=  £'{] 

(A9)  TabCfX{id)  =  {idt,  Docs(id)env,  url,  EventHandlersctx{id),  £ i,ii) 

(A10)  E'i  =  E'ctx{id)  =  Ectx{id)[Tabctx{id)  <=  Tab'ctx{id)] 

(All)  £[=£1 
By  (A8),  (A9),  (A10) 

(1)  The  only  difference  between  E[  and  E-\  is  Ex  contains  ei,  while  E[  does  not. 

By  tab  1 ,  tab2,  event  1,  event2 

(2)  Vei,  E'i  |k<  Ei  |k<  E2  |k 
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By  (All) 

(3)  £\  =  £-,  <  £2 
case:  EventDequeuePage2 

Let  E\  =  (d/i,  Tabsi,  ExtCoreRsi,  progInjCSs1,  Extsi,  Cookiesi,  MB ookmarksi,  histories  1,  UI 1) 

E '2  =  (d/2,  Tabs?,  ExtCoreRs2, progInjCSs2,  Exts2,  Cookies2,  MB ookmarks 2,  histories 2,  UI2) 

By  assumptions 

(Al)  Ei  =  Ectx\ T,  skip  \id,  Tabsi  =  Tabs "  ::  Tabi 
(A2)  Tabi  =  Tabctx\  I\skip  [id 

=  {idt,  Docsenv(id),  url\ ,  EventHandlers  CfX{id) ,  £1) 

(A3)  EventHandlerctx{id)  G  Ev ent Handlers CfX (id) 

(A4)  EventHandlerCfX(id)  =  { id ,  eventType,x.cmd ,  ei  ::  £1,  fskip] ,  zde,  BlockingFlag,  return ) 

(A5)  Docenv(id)  G  Docsenv{id ),  Docenv{id)  =  (■■■,  nodes env {.id),  ■  ■  •) 

(A6)  nodeenv{id)  G  nodesenv{id ) 

(A7)  nodeenv{id )  =  (zd,  _  ,  nodes\ ,  _  ,  [r|,  (!) 

(A8)  ei  =  (zde,  eventType,  return',  ■  ■  ■  ,Ke) 

(A9)  Ke  C  £* 

(A10)  £'  =  Ke  \>tnt  £ 

(All)  EventHandler'lctx{id )  =  {id,  eventType, x. cmd, £\,  \cmd[e\/x\\, ide  , BlockingFlag, return') 
(A12)  node'em,{id)  =  nodeenv{id)[£  <=  £'\,  nodes'em,(id)  =  nodes  env  {id)[node  env  {id)  <=  nodeenv{id)\ 
(A13)  Docs'em,{id)  =  Docsenv{id)[nodeenv{id)  <=  nodeenv{id )] 

(A14)  Tab'ctx{id)  =  Ta&Cfjr(zd)[Docs(z(i)eW  4=  Docs'  {id) env] 

(A15)  =  E'ctx{id)  =  Ectx(id)[Tabctx{id)  <=  Tab'ctx{id )] 

(A16)  £)  =  £1 

sub-subcase  i.  C  n,  ne  C  k,  updLab{ei,£'~ )  iK=  updLab(ei,£'~) 

By  tabI,  tab2,  event  1,  (A8) 

(1)  Ttt&tcZxI  T,  skip  1  id  -I'K.  —  {idt,  Docsenv{id)  |K,  -  , 

prur\e(EventHandlersctx{id),  Docsenv{id)  4-«)  I*,-) 

(2)  Ta&icfxl  r>  skiP  i»d  IkG  £1  Ik 
By  (A7),  NODEl,  EVENT  1 

(3)  node em, {id)  4.k,G  E\ 

(4)  id  G  Docenv{id)  |K 

(5)  EventHandlerctx{id)  \.K=  {id,  eventType,  x.cmd,  e\  ::  £1  J,re,  I  ski  p  [ ,  zde,  BlockingFlag,  return) 

(6)  EventHandlerctx{id)  4.KG  Tabctx I  r,  skip  |id 
By  4-«<  E2  \.k 

(7)  3Ta&2CfxI  I\  sk'P  li<z  e  ^2,  s.t  Tabctx I  r,skip  |id  J.K<  Ta&2cZxl  r>  skiP  ltd  Ik 

(8)  Ta&2cfxl  r,  skip  [jd  =  (zd*,  Docs2env{id),  -  ,  EventHandlers ”  ::  EventHandler2ctx{id) ,  -  ), 

where  Docs”  ).«<  Docs2  |K,  Docenv{id)  |K<  Doc2env2{id)  |K,  Doc2env{id)  G  Docs2env{id) 
3node2  G  Doc2env2{id),  s.t.,  nodeenv{id)  ).K<  node 2  4-k, 
node 2  =  node2env{id )  =  (*d,  _  ,  nodeS2,  -  ,  |]r[,  £) 
id  G  Doc2env{id)  |K 

EventHandler 2ctx{id)  |reG  Ta&2CfxI  r,skip  |id 
EventHandlerCfX{id)  4-K<  EventHandler2ctx{id)  Ik 

EventHandler2ctx{id )  |K=  {id,  eventType,  x.cmd,  e2  ::  £2,  [skip],  zde,  BlockingFlag,  return) 
£\  Ik£~  £2  Ik?  4.k£:  e2  4.^,  that  is  ei  —  e2 
By  ei  =  e2,  (8),  apply  eventDequeuePage2  to  272,  L2  =  L,  skip  [id 

(9)  EventF£andler'2ctx2{id)  =  {id,  eventType,  x.cmd,  £2,  ]cmd [e2/x]|,  zd/,  BlockingFlag,  return') 

(10)  node2env{id)  =  n°de2env{id)[£  <=  £'] 
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(11)  Docs2env(id)  =  Docs2env{'i'd)[node2env{'i'd)  <=  node2env{id)] 

(12)  Tab2'ctx(id )  =  Tab2ctx(id)[DocS2(id)env  <=  Docs2'  (id)env] 

(13)  E[  =  E'ctx(id)  =  Ectx(id)[Tab2ctx(id)  4=  Tab2'ctx(id)\ 

(14)  £'2  =  £2 

By  (12),  (All),  (A  12),  (A13),  (A14),  (A15),  (9),  (10),  (11),  (12),  (13),  Lemma  6,  STATE 

(17)  nodeenv(id )  iK<n  node'2env2(id)  iK 

(18)  Docs' env(id)  iK<  Docs2env2(id )  iK 

(19)  Tab'ctx(id)  iK<  Tab2ctx2(id) 

(20) 

By  (A16),  (14),  <  £2 

(2i)  r;  <  £!2 

sub-subcase  ii.  i~  C  n,  labOf(ei)  £  k,  updLab(e\,£'~)  4_K=  • 

By  (A10),  labOf(ei)  £  k 

(1)  £'~  £  k 

By  (1),  (All-14),  node,  nodeI,  node2,  tabI,  tab2.  Lemma  6 

(2)  nodeenv'  4-k=  nodesi  4_K 

(3)  nodes env {id)  iK<ns  nodes'em,{id) 

(4)  Docenv  ( id )  lK  <  Doc'em,  ( id )  ±K 

(5)  Docsenvi’id)  iK<  Docs'env(id) 

(6)  flid  £  Docsiem,{id)  iK 

(7)  EventHandler'ctx(id)  \.K£  Tab'CfX(id) 

(8)  prun e{EventHandlersCfX{id) ,  Docs'env(id)  J,K<  prun e(EventHandlersctx(id),  Docsenv(id)  |K) 

(9)  Tabctx{id)  iK<  Tab'ctx{id)  iK 
By  (A15),  STATE 

(10)  E[iK<E1iK 
By  (A16) 

(11)  £[U<£iU 

sub-subcase  iii.  £~  £  k,  updLab(e\,£'~ )  lK=  ■ 

By  (A5),  (A6),  (A7),  tabI,  tab2  DOCl,  doc2,  node2 

(1)  {Bnode  =  (id,  ■  ■  •)  £  Docenv(id ) 

(2)  id  £  Docsem,(id)  iK 

(3)  prune(EventHandlerctx(id),  Docsenv(id)  -Ik,)  -Ik,£  TabCfX(id) 

By  £~  £  k,  (A12),  tab  1,  tab2  DOCl,  doc2,  node2 

(4)  £'~  £  k 

(5)  flnode  =  (id,  •  •  •)  £  Doc  'env (id) 

(6)  id  £  Docs'env(id) 

(7)  prur\e(EventHandlerctx(id),  Docs'env(id)  J,K)  ^K£  Tab'ctx(id)  \.K 
By  (All-15),  (1),  (3),  (5),  (7) 

and  EventDequeuePage2  dose  not  change  other  components  except  nodeenv(id)  and  EventHandlerctx(id) 

(8)  E[ 

By  (A15) 

(9)  £{  4_k<  £\ 

case:  EventDequeueCoreBlocking  1 
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Ectx(id)  =  (\L,  Tabs,  ExtCoreRsCfX{id ),  •  •  •) 

ExtCoreRCfX(id )  €  ExtCoreRsCfX{id ) 

ExtCoreRCfX(id)  =  (id,  ([[,  _  , EventHandlers  ::  ehCfX),l) 

ehctx=  (■,  event  Type,  x.cmd,  e  ::  £±,  [[,  ide,  blocking,  return) 

labOf(e)  7^  e^'ctx  ~  (">  eventType,  x.cmd,  £ i,  ||,  ide,  blocking,  return) 

ExtCoreRctx' (id)  =  ExtCoreRctx(id)[ehctx  <=  eh'ctx\ 

ExtCoreRsctx  (id)  =  ExtCoreRsctx(id)[ExtCoreRsctx(id)  4=  ExtCoreRsCfX  (id)\ 

E'ctx(id)  =  Ectx(id)[ExtCoreRsCfx(id)  <=  ExtCoreRsctx(id)\ 

- ; - - - - - EventDequeueCoreBlock: 

Zctx  1  r, skip  \id-,£  — s>  r'telr,skip[id;£ 

Let  E\  =  (’Ll,  Tabsi,  ExtCoreRsi,  progInjCSs1,  Exts\,  Cookiesi,  MB ookmarksi,  histories i,  UI i) 

E2  =  ( 13/ 2 ,  Tabs2,ExtCoreRs2,progInjCSs2,Exts2,  Cookies2,  MB ookmarks 2,  histories 2,  UI 2) 

By  assumptions 

(Al)  Ei  =  Ectx\  r,  skip  [id,  ExtCoreRsi  =  ExtCoreRs"  ::  ExtCoreR 

(A2)  ExtCoreR  =  ExtCoreRictx\  T,  skip  \id  =  (id,  ( [L[ ,  cmd,EHs  ::  ehctx\ skip]), I') 

(A3)  ehctx  [ski p[  =  (•,  eventType,  x.cmd,  £  ::  ei,  |skip|,  ide,  blocking,  return) 

(A4)  lab  Of  (e  1)  7^  £~ 

(A5)  e/i^tvlskipl  =  (')  eventType,  x.cmd,  £ ,  [skip] ,  ide,  blocking,  return) 

(A6)  ExtCoreRctx' (id)  =  ExtCoreRctx(id)[ehctx  <=  eh'ctx\ 

(A7)  ExtCoreRsctx  (id)  =  ExtCoreRsrtx(id)\ExtCoreRsrtx(id)  <=  ExtCoreRsctx  (id)  1 
(A8)  E'ctx(id)  =  Ectx(id)[ExtCoreRsctx(id)  <=  ExtCoreRs'ctx(id)} 

(A9)  E[  =  E'ctx(id) 

(A10)  Ectx\ T,skip \id-,£i  -4  E'ctx\ T,skip  \id-,£'i,  £\  =  £[ 
sub-subcase  i.  l~  C  n,  e  iQ  k 
By  ExtCoreI,  EH 

(1)  ExtCoreRctx\ F,  skip \id  fK=  (id,  (\T\,  cmd,  EHs  e/z.c?jc [skipl  lK),t) 

(2)  e/icte[skip|  fK=  (•,  eventType, x.cmd,  £  ).K::  ei,  [ ski p| ,  ide,  blocking,  return) 

(3)  ExtCoreRctx |  E,  skip \id  4_Ke  Ei 
By  Ei  E2 

(4)  ExtCoreRsi  4-k<c  ExtCoreRs2  \ 

(5)  'Ll  <c  *L2 

By  ExtCoreRsi  4.K<C  ExtCoreRs2 

(6)  ExtCoreRsi  ExtCoreRs2  fn 

(7)  3ExtCoreR2,  s.t.,  ExtCoreRs2  =  ExtCorcRsf  ::  ExtCoreR2 

ExtCore2  =  ExtCoreRctx'  1 1\  skip  \id 
ExtCoreRctx [  I\  skip  \id  fK<  ExtCoreR'ctx\  I\  skip \%d 
ExtCoreR'ctxl  T,skip  [id  =  (id,  (||r[,  cmd,EHs2  ::  e/i2cfxlskip|),  £),  EHs  fK<  EHs2 
e/i2cfcJskipj  =  (•,  eventType,  x.cmd,  £'  ::  e2,  [skip | ,  ide,  blocking,  return ),  £  \.K<  £'  ei  fK=  e2  in 

(8)  labOf(ei)  L  k,  ei  fK=  e±,  ei  =  e2 

By  labOf(e2)  =  labOf(e  1)  7^  l~ ,  apply  EventDequeueCoreBlocking  1  to  E2,  let  E2  =  rcte2[  T,  skip  \id 

(11)  eh'2ctx2  fskipj  =  (•,  eventType,  x. cmd,  £' ,  (skip],  ide,  blocking,  return) 

(12)  ExtCoreR2'ctX2(id)  =  ExtCoreR2ctX2(id)[eh2ctx2ls^Pl  <=  eh'2ctx2  [skip[] 

(13)  ExtCoreRs 2 ctx2(id)  =  ExtCoreRs2ctx2^d)[ExtCoreR2ctX2(id)  <=  ExtCoreR2ctx2(id)\ 

(14)  E2ctx2(id)  =  E2ctX2(id)[ExtCoreRs2ctX2(id)  <=  ExtCoreRs 2 ctX2(id)} 

(15)  E2ctx2\T,s\(\<p\id-,£2  E2'ctxZ\T ,sW\p\ld]£!2,  £’2  =  £2 

By  (A5),  (7),  (11) 

(16)  eh'ctx\ skip|  |K<  eh2'ctx2\s\(\p\  U 
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By  (16),  Lemma  6 

(17)  ExtCoreRCfX\T ,  skip] (*c?)  <  ExtCoreR^ ctx2\T ,  skip|(id) 

(18)  ExtCoreRs'ctx\T ,  skip]  (id)  <  ExtCoreRsctx  [r,  skip]  (id) 

As  e/icta; [skip]  in  ExtCoreRi  and  eh,2ctx2  Iskip]  in  ExtCoreR2  dequeue  the  same  event,  other  eventhandlers  are  not  changed 

(19)  ExtCoreRs'ctx\T ,  skip[(id)  <c,ei  ExtCoreRs2ctX2  fr,  skip[(id) 

(20)  for  all  blocking  handler  e,  ExtCoreRs'ctx\T ,  skip|(id)  <Cje  ExtCoreRs2ctx2  [T,  skipj(id) 

By  (19),  (20) 

(21)  ExtCoreRs'ctx\T,  skip[(id)  <c  ExtCoreRs2'ctx2  [E,  skip[(id) 

By  (21),  STATE 

(22)  E'ctx(id)  <  E2'ctx2(id),  that  is  E[  <  E2 

By  £\  £ 2  iK 

(23)  £[  U<  £'2  iK 

sub-subcase  ii.  £~  Q  k,  e 

By  ExtCoreI,  EH 

(1)  ExtCoreRctx\  T,  skip  \id  iK=  (id,  (|r[,  cmd,  EHs  4,«::  ehctx [skip]  U),t) 

(2)  e/tcta.[skip|  4-k=  (■,  event  Type,  x.  cmd,  £  ei  4,K,  [skip],  ide,  blocking,  return) 

=  (■,  event  Type,  x.  cmd,  8  [skip],  ide,  blocking,  return)  =  e/i(,ta.[skip[ 

By  (A6),  (A7),  (A8),  (A9) 

(3)  E[  4-k=  8\  8*2  Ik 

By  8X  |K<  £2  4*,  and  (A10) 

(4)  S[U<£2iK 
sub-subcase  iii.  t~  %  k 

By  ExtCore2 

(1)  ExtCoreR  iK=  ■,  ExtCoreRctx\ T,  skip \id  £  Ex  4,K 

(2)  ExtCoreR'  lK=  ■,  ExtCoreRctx'\  T,  skip  ^  E[ 

By  E1  iK<  E2  Ik,  81  =  8ctx\  T,skip \id,  and  E[  =  E'ctx\ V,  skip \id, 

EventDequeueCoreBlockingI  only  updates  ExtCoreR,  (1),  (2) 

(3)  8[  4,k=  81  4,k<  82  lK 
By  assumption 

(4)  £(  4-re=  £1  £ 2  4-k 

case:  EventDequeueCoreBlocking2 


8ctx(id )  =  (d/,  Tabs,  ExtCoreRsctx(id),  ■  ■  ■) 

ExtCoreRctx(id )  €  ExtCoreRsCfX(id) 

ExtCoreRctx(id)  =  (id,(\\,  _ ,  EventHandlers  ::  ehcjx),£) 
ehctx  =  (•,  eventType,x.cmd,  e  ::  £\,  [[,  ide,  blocking,  return) 
e  =  ( id'e ,  event  Type,  return,  ■  ■  ■ ,  ne) 

ne=£~  fresh(idr)  if)  =  ProcBlkEvtState(«e,  idr,  e) 

eh'ctx  =  (-,  event  Type,  x.  cmd,  £1,  ||,  id'e,  blocking,  some(e,  idr)) 

ExtCoreRctx' (id)  =  ExtCoreRctx(id)[ehctx  •<=  eh'ctx] 

ExtCoreRsctx  (id)  =  ExtCoreRsctx(id)[ExtCoreRsctx(id)  <=  ExtCoreRsctx  (id)\ 
8'ctx(id)  =  8ctx(id)[ExtCoreRsctx(id )  4=  ExtCoreRs'ctx(id)][^>  <=  d'  ::  ijj\ 

rcte[r,skip \id-,£  — »  8'ctx  1  r,  cmd[e/x]  \id\£ 


EventDequeueCoreBlocking2 


Let  Ei  =  (d/i,  Tabsi,  ExtCoreRsi, progInjCSs1,  Exts\,  Cookies±,  MBookmarksi,  historiesi,  UI\) 
82  =  (d/2,  Tabs2,ExtCoreRs2,progInjCSs2,ExtS2,  C ookies 2,  MB ookmarks 2,  histories 2,  UI2 ) 

By  assumptions 
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(Al)  Ei  =  Ectxj  r,  skip  \id,  ExtCoreRsi  =  ExtCoreRs '[  ::  ExtCoreR 

(A2)  ExtCoreR  =  ExtCoreRctx\  T,  skip  \id  =  (id,  ([T],  cmd ,  EHs  ::  ehctx\sVi\p\),C) 

(A3)  e/icte[skip|  =  (•,  event  Type  ,x.  cmd,  £  ::  e\,  |skip|,  ide,  blocking,  return) 

(A4)  ei  =  ( id'e ,  eventType ,  return ,  ■  ■  ■ ,  Ke),  ne  =  t~ 

(A5)  fresh(idr ) 

(A6)  eh'CfX\cmd[ei/x]\  =  (•,  eventType,  x. cmd,  £,  [cmd[ei/a;][,  ide',  blocking,  some(ei,  idr)) 

(Al)  ExtCoreRctx' (id)  =  Ext.CoreRctx(id)[ehctx  ^  eh'ctx\ 

(A8)  ExtCoreRs \  =  ExtCoreRsctx  (id)  =  ExtCoreRsCfX(id)[ExtCoreRsCfX(id)  <=  ExtCoreRsctx  (id)\ 

(A9)  i/ji  =  ProcBlkEvtState(Ke,  idr,  ei),  'E',1  =  ’Ll  ::  r/’i 

(A10)  E'ctx(id)  =  Ectx(id)[ExtCoreRsctx(id)  -4=  ExtCoreRs'CfX(id)][^ ±  <=  4''1] 

(All)  E{  =  E'ctx(id) 

(A12)  Ectx\T, sk\p\id-£1  E'ctx\r,cmd[e1/x]U,£[,£[=£1 

sub-subcase  i.  £~  C  n 

By  ExtCoreI,  EH 

(1)  ExtCoreRctx  I  I\skip \id  |K=  (id,  (|r[,  cmd,  EHs  |K::  ehctx  [skip]  iK),i) 

(2)  e/ictx[skip|  |K=  (-,  eventType,  x. cmd,  £  \.K::  e\,  [skip],  ide,  blocking,  return) 

By  definition 

(3)  ExtCoreRctx [  T,  skip  \ld  4_KG  Ex  4_K 
By  Ei  E2 

(4)  ExtCoreRs  1  4_K<C  ExtCoreRs2  4-K 

(5)  ^1  ;K<C  ^2  U 

By  ExtCoreRsi  |K<C  ExtCoreRs2 

(6)  ExtCoreRsi  ExtCoreRs2  \.K 

(7)  3ExtCoreR'ctx\  I\  skip  [ id  G  ExtCoreRs2  s.t.,  ExtCoreRctx\  T,  skip  \id  |K<  ExtCoreR'ctx\  I\  skip  [ id  lK 
ExtCoreR'ctx\ E,  skip  \id  =  (id,  (|r|,  cmd,EHs2  ::  e/i2ctYIskip|),  .f),  EHs  iK<  EHs2  |K 

e^2cteIsk'Pl  =  (')  eventType,  x.  cmd,  £'  ::  e2, 1  ski  p  [ ,  ide,  blocking,  return ),  £  ).K<  £'  ei  ),„=  e2  \ ,K 

(8)  labOf(ei)  C  k,  ei  ),«=  ei,  ei  =  e2 

(9)  ExtCore 2  =  ExtCoreRctx  1  E,  skip  \  ld 

(10)  ExtCoreRs2  =  ExtCoreRs 2  ::  ExtCoreR2 

By  Iab0f(e2)  =  l~ ,  apply  EventDequeueCoreBlocking2  to  E2,  let  E2  =  Ectx2  \  T,skip  [id 

(11)  fresh(id'r),  1^2  =  ProcBlkEvtState(«;e,  id'r,  e2),  ip2  =  ipi,  'L2  =  ^2  ::  ip2 

(12)  eh'2 ctx2 [ cmd [e2 /x] [  =  (-,  eventType,  x. cmd,  £' ,\cmd[e2/x]l,  ide' ,b\ock\ng,some(e2,  id'r)) 

(13)  ExtCoreR2'ctx2(id)  =  ExtCoreR2ctx2(.id)[eh2ctX2\cmd{e2/ x\\  4=  eh'2ctx2\cmd[e2/x\\\ 

(14)  ExtCoreRs2ctx2(^d)  =  ExtCoreRs2ctx2{^d)[ExtCoreR2ctx2(^d)  <=  ExtCoreR2ctx2(id )] 

(15)  E2'ctx2(id)  =  E2ctx2(id)[ExtCoreRs2ctx2(id)  ExtCoreRs2'ctx2(id)][\ L2  -<=  2] 

(16)  E2ctx2\ E,  skip  |i£i; E2ctX2 1  E ,  cmd[e2/:r]  =  £2 

By  (12) 

(17)  e/4xIskiPl  U<  eh2ctx2\sk\pl  iK 
By  (17),  Lemma  6 

(18)  ExtCoreR'ctx^d)  <  ExtCoreR2'ctx2('i'd) 

(19)  ExtCoreRs'ctx(id)  <  ExtCoreRs2'ctx2(id) 

As  both  of  ExtCoreRi  and  ExtCoreR2  dequeue  the  same  event  without  changing  other  parts 

(20)  ExtCoreRs'ctx\T ,  skip[(zd)  <c  ExtCoreRs2ctx2  fL,  skip[(zd) 

By  (5),  ei  =  e2 

(21)  lK=ip::  ^11  ::  ^12  ::  ^13 

4>  ~b  ei 

(hn  contains  states  of  the  form  ProcBlkEvtState(_  ,  _  ,  ei) 
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^12  contains  states  of  the  form  DoneBlkEvtState(_  ,  _  ,  e\,  _  ) 

pip'  £  \l/ 13 ,  s.t.  i p'  =  ProcBlkEvtState(_  ,  _  ,  ei),  or  ip'  =  DoneBlkEvtState(_  ,  _ ,  ei,  _ ) 

(22)  T',  lK=  ip  ::  ('Eu  ::  ipi)  ::  T12  "  ^13 

(23)  ^2U=ip:-  'I'll  ::  ^12  "  ^23 

pip’  £  1&23,  s.t.  ip'  =  ProcBlkEvtState(_  ,  _  ,  ei),  or  ip'  =  DoneBlkEvtState(_  ,  _  ,  e±,  _ ) 

(24)  4>2  4-k=  ip  "  (’En  ::  1P2)  ^12  ::  ^23  =  ip  (’En  ::  ipi)  "  ^12  ::  ’E 23 

(25)  |K<c,e  %  iK,  iK<  % 

By  (25),  and  EventDequeueCoreBlocking2  does  not  change  any  other  browserstate  in  \J/23 

(26)  V,  i.<c 

By  (20),  (26),  STATE 

(27)  E'ctx(id)  <  E2'ctxZ{id),  that  is  E[  <  E '2 
By  £ 1  -J.K<  £2  4-k 

(16)  £[  iK<  £'2  iK 

sub-subcase  ii.  l~ 

By  ExtCore2 

(1)  ExtCoreR  4 -K=  ■,  ExtCoreRctx\  I\  skip  ^  E\  4_K 

(2)  ExtCoreR'  4-K=  ■,  ExtCoreRCfX'\  T,  cmd[ei/a;]  [id  ^  E[  4.« 

(3)  ExtCoreRsi  4,K=  ExtCoreRs ^  \.K 
By  Browserstate2 

(4)  Ipi  u=  u=  'El  |K 

EventDequeueCoreBlocking2  only  updates  ExtCoreR ,  adds  t/’i-  By  (3)  and  (4) 

(5)  E[  4-k=  2?i  4-k<  2-2  4-k 
By  assumption 

(6)  £[  4.k=  £\  4-k<  £2  4-k 

5.2  Proof  of  Lemma  15 

The  proofs  for  reading  APIs  and  DomNodeWrite  are  straightforward  as  the  structure  of  the  tree  does  not  change  by 
these  APIs.  The  equivalence  relation  can  be  established  easily.  The  interesting  APIs  are  the  ones  that  change  the  tree 
structure. 

case:  DomAppendChildren(Ia) 


DomAppendChildren(a) 

Zctx{id)  =  (’E,  Tabs  ::  tctx(id),  ■  ■  •) 

£1  =  ctxOfld(27cfec[  T,  let  x  =  domAPI.appendChild(«dj,  idd,  idn,  node  1,  £1)  in  cmd  [id,  id) 
k  =  l\~  t  =  ( idt ,  -  ,  Docs  ::  Doc ,  •  •  •) 

Doc  =  ( idd ,  -  ,  nodes,  _  ,  _  )  node  £b  nodes  node  =  ( idn ,  (•  •  • ,  £ children ,  ■  ■  •),  nodes  1,  •  •  • ,  £„) 

node  1  =  (idi,  (■  ■  ■  ,(parent,£pre,  ■),  -  ,£1)  purl  £  attributes 

K  £  £ children  ^  £ parent  E  £pre  £ succ  —  nextSlbleOf  ( laSt(  /10l/p.S  |  ) )  11  C  Esucc 

Doc'  =  Doc[node  <=  append  {node,  nodei)]  t'  =  f[Hoc  4=  -Doc7]  E'ctx(id )  =  27CfcE(zd)[f  -<=  £] 


Actx [  T,  let  a:  =  domAPI.appendChild(zdt,  idd,  idn,  node  1,  £1)  in  cmd  [id 


a  I  I  (dom  API.  append  Child,  ( idt ,  id  d,idn,  node  \  ,^i),pointersOf(nocZe^),tt) 


E'ctx\T,  cmd[pointersOf(node,1)/a:]  \id\ ■ 


Subcase:  the  script  is  a  content  script  handler. 

By  assumptions 

(Al)  Ei  =  Ectx(id)  =  ('E,  Tabs  ::  tctx(id),  ■  •  •) 

(A2)  i\  =  ctxOfld(I7cte[  T,  let  x  =  domAPi.appendChild(idt,  idd,  idn,  nodea,ii)  in  cmd  [id,  id) 
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(A3)  t\  =  ( idt ,  -  ,  Docs i  ::  Doc i,  •  •  •) 

(A4)  Doc\  =  ( idd ,  _  ,  nodes i  ::  node,  _  ,  _  ) 

(A5)  node  —  (idn,  (*  •  •  ,  (children,  ' '  *)?  nodes i,  •  *  •  ,£n) 

(A6)  node i  —  (id± ,  (*  *  *  ,  C parent  ,  -(pre  ,  ‘ ) ;  -  1  ('I  ) 

(A7)  €  attributes 

(A8)  £Succ  =  nextSibleOf(last(no<iesi)) 

(A9)  ^  ^ children  ,  ^  L  ( parent  tt  E  (pre  L  (  succ 

(A10)  Doc\  =  Doc[node  <t=  appendjnode,  node[)] 

(All)  t[  =  <i[Hoci  Doc[ ] 

(A12)  Si  =  E'ctx(id)  =  Sctx(id)[h  «=  t[] 

sub-subcase  1.  The  script’s  label  t  \  %  n„. 

There  are  two  cases  here.  One  is  that  such  append  float  some  labels,  the  other  is  not. 

In  the  latter  case,  the  update  does  not  affect  the  projection  and  less  than  relation. 

In  the  former  case,  the  projection  of  the  dom  will  sever  links  between  nodes. 

In  this  case,  the  less  than  relation  can  be  re-established  using  a  different  set  of  rules 
that  take  into  consideration  the  missing  links, 
sub-subcase  2.  The  script’s  label  t  \  C  n. 

Let  £2  =  Zctx2 1  T,  let  x  =  domAPI.appendChild(zdt,  idd,  idn,  node \,£\)  in  cmd  [ id 

Here,  no  labels  are  tainted  due  to  the  addition  of  new  node. 

The  resulting  state  still  relation  to  each  other  using  the  same  derivation. 

Subcase:  the  script  is  a  page  script  handler.  The  proofs  are  similar  to  above  proofs, 
case:  DomRemoveChild 


Zctx{id)  =  ('L,  Tabs  ::  tctx(id),-  •  •) 

£  =  ctxOfld(£cte[  T,  let  x  =  domAPI.removeChild(*(it,  idd,  idp,  idc)  in  cmd  \id,  id) 


t  =  (idt,  -  ,  Docs  ::  Doc,  ■  ■  ■)  Doc  =  (idd,  -  ,  nodes,  _  ,  _  ) 


node  £  nodes 


node  =  (idp,m,  nodes\  ::  node  1  ::  nodec  ::  node 2  ::  nodes 2,  (•  •  • , (-children,  ■  ■  ')>(p ) 


,(■ 


=  ,•••),•••)  node2  =  (•••,(• 


k  C 


k  C  £pre 


node  1  =  (•  •  • 

£ children 

node 1  —  node\(£SUCc  [ >tnt  ^succ]  node2  nodei ]£Pre  =  \^tnt  (Pre\ 

node'  =  (idp,  m,  nodes\  ::  node\  ::  node2  ::  nodes2,  (•••,«  >tnt  ( children ,  ■  ■  •)>  ( P ) 

Doc  =  updateQ(Doc[noiie  <*=  node'],n,  nodec ) 
t'  =  t[Doc  <=  Doc]  Zctx(id)'  =  Sctx(id)[t  t'] 

Zctx\  r,  let  x  =  domAPI.removeChild(*dt,  idd,  idp,  idc)  in  cmd  | ^ 

call(domAPI.removeNode,(i£Zt , idd, idp, idc) ,po\ntersOf (node) ,k)  ,  _  r  _  ,  \  /  l  n 

— >•  '  27cteH  T,  cma[pointersOf(noae)/xj  11^;  ■ 


DomRemoveChild 


Similar  to  the  previous  case,  we  have  two  subcases:  one  is  the  script’s  label  is  lower  than  or  equal  to  na ,  the  other  is 
not. 

The  first  case  is  straightforward.  The  equivalent  state  also  takes  the  same  step  and  the  projected  tree  structures  stay 
the  same. 

For  the  second  case,  we  need  to  show  the  state  after  removal  of  the  child  is  still  equivalent  to  Y-2. 

There  are  two  cases  here.  One  is  that  such  append  float  some  labels,  the  other  is  not.  In  the  latter  case,  the  update 
does  not  affect  the  projection  and  less  than  relation.  In  the  former  case,  the  projection  of  the  dom  will  sever  links 
between  nodes.  In  this  case,  the  less  than  relation  can  be  re-established  using  a  different  set  of  rules  that  take  case  of 
the  missing  links  and  extra  node  in  £2- 


86 


5.3  Proof  of  Lemma  14 

case:  BookmarkGet 


E  =  ('I',  •  •  • ,  MBookmarks,  •  •  •)  \L  =  'L'  ::  chrome. bookmarks. get(rt,  idcb,  ids ) 

bookmarks  =  se\ectBookmark(MBookmarks ,  k) 

result  =  bookmarkQuery  (bookmarks,  chrome. bookmarks. get,  ids) 

fresh(ide)  e  =  ( ide ,  idcb,  none,  result,  n)  E'  =  17  [\L  4=  ’I''] 

’ - - - - - — - - - BOOKM^ 

nextStateC(27,  chrome. bookmarks. get(«,  idcb ,  ids))  =  E  ;  e 

Let  E\  =  (’Ll,  Tabsi,  ExtCoreRsi, progInjCSs1,  Exts\,  Cookiesi,  MBookmarks i,  histories i,  UIi) 
E2  =  (^2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  ExtS2,  Cookies 2,  MBookmarks 2,  histories 2,  UI 2) 

By  assumptions 

(Al)  'Ll  =  'L',  ::  0i 

(A2)  'tpi  =  chrome. bookmarks. get(K1;  idcb,  ids) 

(A3)  bookmarks \  =  se\ectBookmark(MBookmarksi,  k) 

(A4)  result  1  =  bookmarkQuery  (bookmarks  1,  chrome. bookmarks. get,  ids) 

(A5)  fresh(idei) 

(A6)  ei  =  (idei,  idcb,  none,  resulti,  k) 

(A7)  E[  =  Ei[^1^  ^i] 

sub-subcase  i.  Ki  C  k 

By  BrowserstateI 

(1)  ipi  lK=  V’i 

By  Ei  i  K  <  E2  lK,  Lemma  11,  and  (1) 

(2)  'Ll  |K<C  -L2  lK 

(3)  302  G  'E'2  s.t.  0K<  -02  4-k.  that  is  02  =  0i  =  chrome. bookmarks. get(«i,  idcb,  ids), 

^2  =  %  ::  02,  'Ll  iK<c  %  U 

Apply  bookmarkGet  to  E2 

(4)  bookmarks2  =  se\ectBookmark(MBookmarks2,  «i) 

(5)  result2  =  bookmarkQuery(bookmarks2,  chrome. bookmarks. get,  ids) 

(6)  fresh(ide2) 

(7)  e2  =  (ide 2,  idcb,  none,  result2,  k) 

(8)  e’2  =  r2[^2  %} 

By  MBookmarksi  \ ,K<bkm  MBookmarks2  \.K,  E  k,  and  the  definition  of  selectBookmark 

(9)  bookmarks2  =  bookmarksi 

(10)  result 2  =  resulti 

(11)  e2  =  ei 

By  EVENT  1,  (11) 

(12)  ei  4-k<  e2  |K 

By  STATE,  (A7),  (8),  (3) 

(13)  E[  ;K<  E’2 
sub-subcase  ii. 

By  Browserstate2,  Lemma  12 

(1)  01  Ik=  ' 

(2) 

By  (A6),  EVENT2 

(3)  ei  iK=  ■ 

By  STATE,  (A7),  (2),  Ei  0K<  E2 

(4)  E’iU<EiU 
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(5)  E(U<E2U 


The  proofs  for  bookmarkGetChildren,  bookmarkGetRecent,  bookmarkGetTree,  bookmarkGet- 
SubTree,  bookmarkSearch  are  similar  to  the  proofs  for  this  rule, 
case:  BookmarkCreate(I) 

E  =  (\L,  ■  •  • ,  MBookmarks ,  •  •  •) 

T  =  'L'  ::  chrome. bookmarks. create(/c,  idcb,  (idparent,  positionlndex ,  title ,  url )) 

MBookmarks  =  MBookmarks11  ::  (bookmarks ,  k) 

( bookmarks' ,  result)  =  bookmark\N r\te(bookmarks ,  chrome. bookmarks. create, 

(id parent,  positionlndex,  title,  url)) 

fresh(ide) 

e  =  (id e,  id ci,  none,  result,  k)  MBookmarks  =  MBookmarks  ::  (bookmark  ,  k) 

E’  =  I7[’L  -*=  ([MBookmarks  <=  MBookmarks '] 

- - - - - - - - - - - - —  BookmarkCreate(I) 

nextStateC(27,  chrome. bookmarks. create(ft,  idcb,  (idparent,  positionlndex,  title,  url)))  =  E  ;  e 

Let  Ei  =  (T1!,  Tabsi,  ExtCoreRsi, progInjCSs1,  Exts\,  Cookiesi,  MBookmarks i,  histories i,  UIi) 

E '2  =  (tI/2,  Tabs2,ExtCoreRs2,progInjCSs2,ExtS2,  Cookies2,  MBookmarks 2,  histories 2,  UI2) 

By  assumptions 

(Al)  T-!  =  vl/'  ::  </>i 

(A2)  t/>i  =  chrome. bookmarks. create(/ci,  idcb,  (id parent,  positionlndex,  title,  url)) 

(A3)  MBookmarksi  =  MBookmarks ”  ::  MBookmarki 
(A4)  MBookmarki  =  (bookmarks i,  Ki) 

(A5)  (bookmarks'i,  result i)  =  bookmarkWrite(&oofcmarLsi,  chrome. bookmarks. create, 

(A6)  (idparent,  positionlndex,  title,  url)) 

(Al)  fresh  (id  ei) 

(A8)  ei  =  (idei,  idcb,  none,  result i,  Ki) 

(A9)  MBookmarks'i  =  MBookmarksi[bookmarki  <=  bookmark 
(A10)  MBookmarks'i  =  MBookmarksi[MBookmarki  <=  MBookmark'i ] 

(All)  E'i  =  i7i[4,i  <=  ^[([MBookmarksi  <=  MBookmarks[( 

sub-subcase  LkiCk 
By  BrowserstateI 

(1)  4>1  in=  Vh 

By  Ei  iK<  E2  4-k,  Lemma  11,  and  (1) 

(2)  ;K<C  ^2  U 

(3)  3lp2  e  ^2  S.t.  tpi  iK<  U, 

that  is  tp2  =  ipi  =  chrome. bookmarks. create(rti,  idcb,  (id parent,  positionlndex ,  title,  url)), 

^2  =  %  "  V>2,  'L'l  %  Ik 
By  MBookmarkI 

(4)  MBookmarki  \.K=  MBookmarki 

By  MBookmarksi  )rK<bkm  MBookmarks2  4-K,  (4),  MBOOKMARKS 

(5)  3MBookmark2  £  MBookmarks2,  s.t.  MBookmarki  J,K<  MBookmark2  4-K, 
that  is  MBookmark2  =  MBookmarki 

(6)  MBookmarks2  =  MBookmarks 2  ::  MBookmark2 

(7)  MBookmarks2  \.K=  MBookmarks”  4_K 
By  (3),  (5),  apply  bookmarkCreate(I)  to  i72 

(8)  MBookmark2  =  (bookmarks  1,  ki) 

(9)  (bookmarks[,  result  1)  =  bookmarkWrite(6oofcmarfai,  chrome. bookmarks. create, 
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(id parent,  positionlndex,  title ,  url )) 

(10)  fresh  (id  e2) 

(11)  e2  =  (ide 2,  idcb ,  none,  result i,  «i) 

(12)  MBookmarks2  =  MBookmarks2[bookmark\  <=  bookmark x] 

(13)  MBookmarks'2  =  MBookmarks2[MBookmark2  4=  MBookmark2\ 

(14)  E2  =  £2^2  4=  d/^  [MBoofcmarfcs2  4=  MBookmarks2 \ 

By  MBookmarksi  \ rK,<bkm  MBookmarks2  E  ft,  and  the  definition  of  selectBookmark 

(15)  bookmarks 2  =  bookmarks\ 

(16)  MBookmarks'2  =  MBookmarks \ 

By  (A10),  (7),  (13),  (16),  BOOKMARKS 

(17)  MBookmarks \  <bkm  MBookmarks2 
By  EVENT  1,  (A8) 

(18)  e\  o2  I 

By  STATE,  (All),  (3),  (14),  (17) 

(19)  S(  U<  S'2 
sub-subcase  ii. 

By  Browserstate2,  Lemma  12 

(1) 

(2)  $i  |K<C  ’Ll  |K 

By  MBOOKMARK2 

(3)  MBookmarks  fK=  MBookmarks  -Ik,=  ■ 

By  (A3),  (A10),  (3) 

(4)  MBookmarks  i  ),K=  MBookmarks \ 

By  STATE,  (A1 1),  (2),  (4),  St  fK<  S2  lK 

(5)  S(  4-k5:  S\ 

(6)  s(  4,K<  £2  4-k 

By  (A8),  EVENT2 

(7)  eUK=- 

The  proofs  for  BookmarkMove(I),  BookmarkUpdate(I),  BookmarkRemove(I),  BookmarkRemove- 
Tree(  1 )  are  similar  to  the  proofs  for  the  rule  BookmarkCreate(  1). 
case:  BookmarkCreate(2) 


£  =  (d/,  •  •  • ,  MBookmarks ,  •  •  •) 

d/  =  \E'/  ::  chrome. bookmarks. create(ft,  idcb ,  (idparent,  positionlndex ,  title,  url)) 
$MBookmark  €  MBookmarks  s.t.  labOf  (MBookmark)  =  k 
bookmarksi  =  selectBookmark  (MBookmarks,  k) 

( bookmarks) ,  result)  =  bookmarkWrite(&oo&marfei,  chrome. bookmarks. create, 

(idparent,  positionlndex ,  title,  url)) 


fresh(ide) 

e  =  (ide,  idcb,  none,  result,  ft) 
S'  =  JC[d/  -t=  d/']  [ MBookmarks 


MBookmarks '  =  MBookmarks  ::  (bookmarks),  k) 
-  MBookmarks'] 


nextStateC(i7,  chrome. bookmarks. create(re,  idcb,  (id parent,  positionlndex ,  title,  url)))  =  S';  e 


BookmarkCreate(2) 


Let  Ss  =  (d/i,  Tabss,  ExtCoreRss, proglnjCSss,  Extss,  Cookies  1,  MBookmarks  1,  histories  1,  UI\) 
S2  =  (d/2,  Tabs2,  ExtCoreRs2, progInjCSs2,  Exts2,  Cookies 2,  MBookmarks 2,  histories 2,  UI2) 

By  assumptions 

(Al)  dr,  =  ::  ifi 
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(A2)  ijji  =  chrome. bookmarks. create(/ci,  idcb,  ( id  varent,  positionlndex ,  title,  url)) 

(A3)  $MBookmark  G  MBookmarksi  s.t.  labOf  (MBookmarki)  =  Ki 
(A4)  bookmarks \  =  se\ectBookmark(MBookmarks,  ki) 

(A5)  (bookmarks*!,  result i)  =  bookmarkWrite(6oofcmarfai,  chrome. bookmarks. create, 

(A6)  (idparent,  positionlndex,  title,  url)) 

(A7)  MBookmarki  =  (bookmarks l7  Ki) 

(A8)  MBookmarks (  =  MBookmarksi  ::  MBookmarki 
(A9)  fresh(idei) 

(A10)  e\  =  (id e i ,  idcb,  none,  result i,  K\) 

(All)  B'i  =  i7i[4fi  <=  ^([[MBookmarksi  -4=  MBookmarks (\ 

sub-subcase  i.  K\  jZ  k 

By  BrowserstateI 

(1)  V’i  4-«=  Vh 

By  27i  4-k<  272  4-k,  Lemma  11,  and  (1) 

(2)  ;K<C  $2  U 

(3)  3^2  G  <L2  S.t.  tpi  iK<  r/>2  4-k, 

that  is  t/>2  =  i/>i  =  chrome. bookmarks. create(«i,  idcb,  (id parent,  positionlndex ,  title,  url)), 

^2  =  %  "  V'2,  tf'i  Ik<c  ^2  4-k 
By  MBookmarki 

(4)  V MBookmark  G  MBookmarksi, 

if  labOf  (MBookmark)  =  K\,  MBookmark  \.K=  MBookmark 
MBookmark  G  MBookmarksi  \.K 

(5)  V MBookmark  G  MBookmarks2, 

if  labOf  (MBookmark)  =  Ki,  MBookmark  (,K=  MBookmark 
MBookmark  G  MBookmarks2  4-k 
By  (A3),  (4) 

(6)  $MBookmark  G  MBookmarksi  4-k  s.t.  labOf  (MBookmark)  =  Ki 
By  MBookmarksi  4 MBookmarks2  4-k-  MBookmarks,  (5),  (6) 

(7)  MBookmarks2  4-k=  MBookmarksi  \.K 

(8)  $MBookmark  G  MBookmarks2  s.t.  labOf  (MBookmark)  =  Ki 

Proof:  if  $MBookmark  G  MBookmarks2  s.t.  labOf  (MBookmark)  =  Ki 
then  MBookmark  G  MBookmarks2  4-k  which  conflicts  with  (7) 

By  (3),  (8),  apply  bookmarkCreate(2)  to  272 

(9)  bookmarks2  =  se\ectBookmark(MBookmarks2,  Ki) 

(10)  (bookmarks'2,  result 2)  =  bookmark\Nr\te(bookmarks2,  chrome. bookmarks. create, 

(11)  (idparent ,  positionlndex ,  title,  url ) ) 

(12)  MBookmark 2  —  (bookmarks 2,  Hi) 

(13)  MBookmarks2  =  MBookmarks2  MBookmark2 

(14)  fresh(id e2) 

(15)  e2  =  (ide 2,  idcb,  none,  result2,  k  1) 

(16)  =  272['I/2  ■<=  ([[MBookmarks 2  <=  MBookmarks (] 

By  MBookmarksi  4 MBookmarks2  4-k,  «i  E  k,  and  the  definition  of  selectBookmark,  (4),  (5) 

(17)  bookmarks2  =  bookmarksi 
By  (A5),  (10),  (17) 

(18)  bookmarks^  =  bookmarks ( 

(19)  result2  =  result  1 
By  (17),  (A7),  (12) 

(20)  MBookmark  2  =  MBookmark2 
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By  (A8),  (7),  (13),  (20),  BOOKMARKS 

(21)  MBookmarks \  =  MBookmarks'2 

(22)  MBookmarks \  <bkm  MBookmarks2 
By  STATE,  (All),  (3),  (16),  (22) 

(23)  S[  U<  S'2  U 

By  event  1,  (A8),  (15),  (19) 

(24)  d  iK<  e2  iK 
sub-subcase  ii.  Ki  %  k 

By  Browserstate2,  Lemma  12 

(1) 

(2)  'Ll  |K<C  ’Ll  iK 

By  MBOOKMARK2,  (A7) 

(3)  MBookmarki  J,K=  • 

By  (A8),  (3) 

(4)  MBookmarks  i  MBookmarks  x 

(5)  MBookmarks1  iK<bkm  MBookmarksi  4_K 
By  state,  (All),  (2),  (5),  27,  ±K<  272 

(5)  S[  ),K<  Si  \.K 

(6)  s;  iK<  s2  iK 

By  (A10),  EVENT2 

(7)  eUK=- 

The  proofs  for  BookmarkMove(2),  BookmarkUpdate(2),  BookmarkRemove(2),  BookmarkRemove- 
Tree(2)  are  similar  to  the  rule  BookmarkCreate(2). 
case:  CookieWebsiteSet(I) 


S  =  (>L,  ■  •  ■ ,  Cookies,  ■  ■  •) 

=  \D/  ::  website. cookieSet(K,  idcb,  (name,  value,  url))  Cookie  £  Cookies 
Cookie  =  (name,  valuei ,  url,  k)  Cookie  =  Cookie[valuei  <=  value \ 

Cookies'  =  Cookies[Cookie  <=  Cookie]  S'  =  27  [’L  •<=  \Ef/]  [Cookies  4=  Cookies'] 
fresh(ide)  e  =  (ide,  idcb,  none,  info(Cookie’),  k) 

nextStateC(27,  website. cookieSet(«,  idcb,  (name,  value,  url)))  =  S' ;  e 


CookieWebsiteSet(I) 


Let  S\  =  (’Ll,  Tabsi,  ExtCoreRsi, progInjCSs1,  Exts\,  Cookiesi,  MBookmarksi,  histories \,  UI\) 
272  =  (’L2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  ExtS2,  Cookies 2,  MBookmarks 2,  histories 2,  UI 2) 

By  assumptions 

(Al)  T,  =  vI/(  ::  ^ 

(A2)  ijji  =  website. cookieSet(Ki,  idcb,  (name,  value,  url)) 

(A3)  Cookiei  £  Cookiesi 

(A4)  Cookiei  =  (name,  valuer ,  url,  Ki) 

(A5)  Cookiei  =  Cookiei[valuei  <=  value] 

(A6)  Cookiesi  =  Cookiesi[Cookiei  <=  Cookie -J 
(A7)  fresh  (id  ei) 

(A8)  ei  =  (id ei,  idcb,  none,  inf o(Cookie'1),  k) 

(A9)  S'i  =  27i[’Li  <=  T'i] [Cookiesi  *t=  Cookies'i ] 

sub-subcase  i.  K\  L  k 

By  BROWSERSTATEl 

(l)  ipi  lK=  V’i 
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By  Ei  J,K<  E2  lK,  Lemma  11,  and  (1) 

(2)  ;K<C  iK 

(3)  3lf2  £  <L2  S.t.  V’l  U<  i>2  Ik, 

that  is  tp2  =  Vh  =  website. cookieSet(Ki,  idcb ,  (name,  value,  url)), 

^2  =  ^2  ::  fa,  'Ll  |K<C  %  W 

By  COOKlEl 

(4)  Cookie  1  \.K=  Cookie  1 

By  Cookiesi  |K<  cookies2  (4) 

(5)  3Cookie2  £  Cookies2  s.t.  Cookie  1  J,K<  Cookie 2 
that  is  Cookie 2  =  Cookiei  =  (name,  valuer ,  url,  Hi) 

By  (3),  (5),  apply  CookieWebsiteSet(I)  to  E2 

(6)  Cookie'2  =  Cookie2[valuei  <=  value] 

(7)  Cookies'2  =  Cookies 2[Cookie2  <=  Cookie 2] 

(8)  fresh(id  e2) 

(9)  e2  =  (id  e2,  idcb,  none,  info  (Cookie  2),  Hi) 

(10)  E'2  =  E2[^i  4=  'L,1][Coofczesi  Cookies -J 
By  (5),  (6) 

(11)  Cookie^  =  Cookie'i 
By  (A6),  (7),  Lemma  6 

(12)  Cookies^  =  Cookies 'x 
By  STATE,  (A9),  (3),  (10),  (12) 

(13)  E(  |K<  E'2  4.* 

By  event  1,  (A8),  (9),  (11) 

(14)  e\  4,^^  e2 
sub-subcase  ii. 

By  Browserstate2,  Lemma  12 

(1)  i>i  lK=  ■ 

(2)  $i|K<c$i|K 
By  COOKIE2,  (A4),  (A5) 

(3)  Cookiei  Cookie'i  • 

By  (A6),  Lemma  6 

(4)  Cookies'i  =  Cookiesi 
By  STATE,  (A9),  (3),  (4) 

(5)  E'i  4_k<  Ei  4<k 
By  (A8) ,  EVENT2 

(6)  ei  iK=  ■ 

The  proofs  for  cookieWebsiteSet(2),  cookieScriptSet(I)  are  similar  to  the  proofs  for  cookieWebsite- 
Set(1). 

case:  CookieCoreGetAll 

Let  Ei  =  (d/!,  Tabsi,  ExtCoreRsi, proglnjCSsi,  Extsi,  Cookiesi,  MB ookmarksi,  histories  1,  UIi) 

E2  =  (d/2,  Tabs2,  ExtCoreRs2,  pi'ogInjCSs2,  Exts2,  Cookies2,  MBookmarks 2,  histories 2,  UI 2) 

By  assumptions 

(Al)  T-!  =  'L'i  ::  ^ 

(A2)  ifi  =  chrome. cookies. getAI I («i ,  idcb,  filter) 

(A3)  V Cookie  £  Cookiesi,  Cookie  =  kc) 

if  matchFilter  (Cookie,  filter)  =  true  A  ncC  m 
Add  Cookie  to  Cookies  resuitSl 
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(A4)  fresh  (id  ei) 

Ci  (id  e i ,  id cb ,  none,  Cookies  resunSl ,  t^i) 

(A5)  £(  =  ^[vp-,  «<=  40] 

sub-subcase  i,  m  C  re 

By  BROWSERSTATEl 

(1)  01  Ik=  01 

By  A  |  K  <  J72  I,,,  Lemma  11,  and  (1) 

(2)  'Ll  |K<C  |K 

(3)  302  G  ^2  S.t.  -01  J,K<  02  4-re, 

that  is  02  =  01  =  chrome. cookies. getAII(/«i,  idcb,  filter), 

^2  =  ^2  "  ih,  |K<C  'L'2  iK 
By  COOKlEl,  Cookiesi  0K<  Cookies 2 

(4)  V  Cookie  G  Cookie  resuitl,  Cookie  4-K=  Cookie 

BCookie'  G  Cookies2  s.t.  Cookie  4-«<  Cookie  fK, 
that  is  Cookie  =  Cookie 
By  (3),  apply  CookieCoreGetAll(2)  to  £2 

(5)  V Cookie  G  CookieS2,  Cookie  =  kc) 

if  matchFilter(Coofcie,  filter)  =  true  A  nc  Q  n1 
Add  Cookie  to  Cookies  resUits2 

(6)  fresh(id  e2) 

c2  —  (id e2 7  id cb ,  none,  Cookies results®  5  tti) 

(7)  23  =  272[tf2  <=  tf'2] 

By  (A4),  (3),  (6) 

(8)  ei  4.^^  c2  0k 

By  STATE,  (A5),  (3) 

(9)  £[  £'2  4-ft 

sub-subcase  ii.  m  %  k 

By  Browserstate2,  Lemma  12 

(1)  014-k1=- 

(2)  $i  -U<c  ’Ll  iK 

By  STATE,  (A5),  (2) 

(3)  £(iK<£iiK 
By  (A4) ,  EVENT2 

(4)  ei  4-k=  1 

case:  CookieCoreRemove(I) 

CookieCore Remove!  1)  Extension  core  removes  a  cookie  with  name  and  url.  The  callback  function  can  access  the 
removed  cookie. 


£  =  (*L,  •  •  • ,  Cookies ,  •  •  •)  \L  =  ’L/  ::  chrome. cookies. remove^,  idcb,  (name,  url)) 

Cookies  =  Cookies'  ::  Cookie 

Cookie  =  (name,  _  ,  url,  kc)  k  C  kc  £'  =  i7[\L  4=  4,/]  [Cookies  <=  Cookies' ] 
fresh(ide)  e  =  (ide,  idcb,  none,  Cookie,  kc) 

- - - - - - - - - — - - - CookieCoreRemove(I) 

nextStateC(27,  chrome. cookies. remove^,  id cb,  (name,  url)))  =  £  ;  e 

Let  E\  =  (\Li,  Tabsi,  ExtCoreRsi, proglnjCSsi,  Extsi,  Cookiesi,  MB ookmarksi,  histories  1,  UIi) 

£2  =  (4/2,  Tabs2,ExtCoreRs2,progInjCSs2,ExtS2,  Cookies2,  MBookmarks 2,  histories 2,  UI2) 
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By  assumptions 

(Al)  vp  ,  =  vp;  ::  ^ 

(A2)  tpi  =  chrome. cookies. remove^,  idc &,  (name,  url )) 

(A3)  Cookies i  =  Cookies \  ::  Cookie \ 

(A4)  Cookie ±  =  (name,  _  ,  url,  kc) 

(A5)  Ki  C  Kc 

(A6)  £[  =  £'i[vI/i  <=  [Cookiesi  <=  Cookies' 

(A7)  fresh(idel) 

(A8)  e\  =  (idei,  idcb,  none,  Cookie i,  kc) 

sub-subcase  i.  K\  C  k 

By  BROWSERSTATEl 

(1)  4>i  1*,=  4>i 

By  £\  |  K  <  E2  |k,  Lemma  11,  and  (1) 

(2)  'Ll  |K<C  ^2  Ik 

(3)  3|>2  e  <L2  S.t.  Ipi  |K<  i/j 2  Ik, 

that  is  |>2  =  ipi  =  chrome. cookies. remove(Ki,  idcb,  (name,  url)), 
*2  =  ^2  ::  ^2,  4-'i  Ik<c  'La  Ik 

case  1 :  kc  <  k 

By  COOKiEl,  Cookiesi  |K<  Cookies2  |K 

(4)  3Cookie2  £  Cookies2  s.t.  Cookie i  |K<  Cookie 2  |K, 

that  is  Cookie  i  =  Cookie 2 

(5)  Cookies2  =  Cookies2  ::  Cookie 2 

(6)  Cookies \  |K<  Cookies'2  |K 

By  (3),  (4),  apply  CookieCoreRemove(I)  to  E2 

(7)  Cookies 2  =  Cookies2  ::  Cookie2 

(8)  E2  =  -t=  ^y[Coofc*es2  4=  CooAxes^] 

(9)  fresh(id  e2) 

(10)  e2  =  (ide 2,  idcb,  none,  Cookie 2,  nc) 

By  (A8),  (4),  (10) 

(11)  ei  |k<  e2  |„ 

By  STATE,  (A6),  (3),  (6),  (8) 

(12)  E[  |k<  E'2  Ik 
case  2:  nc  n 

By  COOKIE2, 

(13)  Cookie i  |K=  • 

(14)  Cookies \  |K=  Cookiesi  |K 
By  STATE,  (A6),  (3),  (14) 

(15)  £[  |k<  J7x  |k 
By  (A8),  EVENT2 

(16)  ex  |k=  • 

sub-subcase  ii.  kx  %  k 

By  Browserstate2,  Lemma  12 

(1)  V>iIki=- 

(2)  !k<c  ’Ll  Ik 
By  K-I  %  k,  (A5) 

(3)  Kc%  K 
By  (3),  COOKIE2 

(5)  Cookiei  |K=  • 
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(6)  Cookies \  |K<  Cookiesi  \.K 
By  STATE,  (A6),  (2),  (6) 

(7)  E[  4,k<  Ei  4-k 
By  (A8) ,  (3) ,  EVENT2 

(8)  ei  4-k=  ■ 

case:  HistorySearch 


E  =  ('I',  ■  •  ■ ,  histories ,  •  •  •) 

’L  =  \E,/  ::  chrome. history. search(K,  idcb,  query)  histories  =  historiesi  ::  histories 2 
V history  £  histories  1,  history  =  (id,  url,  name,  visitTime,  visitType,  Kh ) 
matchQuery(/izstory,  query)  =  true 
KhC  K 

$ history '  £  histories,  history1  =  (id1 ,  url,  name,  visitTime  ,  visitType  ,  Kh),  history'  7^  history 
s.t.  visitTime  is  later  than  visitTime  A  n'h  E  k 
Whistory  £  histories2,  history  =  (id,  url,  name,  visitTime,  visitType,  Kh) 
matchQuery (history,  query)  =  true 


Kh  E  k 

Bhistory'  £  histories  1,  history'  =  (id’ ,  url,  name ,  visitTime  ,  visitType' ,  Ch ), 
s.t.  visitTime  is  later  than  visitTime  A  n'h  C  k 
E’  =  [\B  'L']  fresh(ide)  e  =  (ide,  idcb,  none,  historiesi,  k) 

nextStateC(Z’,  chrome. history. search(«;,  idcb,  query))  =  E'\  e 


HISTORYSEARCH 


Let  Ei  =  (’Ll,  Tahsi,  ExtCoreRsi,  proglnjCSsi,  Extsi,  Cookiesi,  MB ookmarksi,  historiesi,  UI\ ) 

E2  =  (^2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  ExtS2,  C ookies 2,  MB ookmarks 2,  histories 2,  UI2) 

By  assumptions 

(Al)  vp  ,  =  vI/(  ::  ^ 

(A2)  ipi  =  chrome. history. search(r?.1,  idcb,  query) 

(A3)  historiesi  =  historiesia  ::  histories^ 

(A4)  \/history  £  histories ia,  history  =  (id,  url,  name,  visitTime,  visitType,  Kh) 
matchQuery  (history ,  query)  =  true 
Kh  E  Ki 

$ history '  £  historiesi,  history1  =  (id1 ,  url,  name,  visitTime' ,  visitType' ,  K'h),  history'  7^  history 
s.t.  visitTime'  is  later  than  visitTime  A  k'h  E  k 
(A5)  Whistory  £  historiesib ,  history  =  (id,  url,  name,  visitTime,  visitType ,  Kh) 
matchQuery  (history,  query)  =  true 
Kh  Eft 

3 history'  £  historiesia,  history'  =  (id' ,  url,  name,  visitTime' ,  visitType' ,  k'h), 
s.t.  visitTime  is  later  than  visitTime  A  k'h  E  ki 
(A6)  E’i  =  X’lfl'i  <^=  ’L'1] 

(A7)  fresh(idei),  ei  =  (id ei,  id c&,  none,  historiesia,  Ki) 

sub-subcase  i.  K\  E  k 

By  BROWSERSTATEl 

(1)  4>i  Vh 

By  Ei  iK<  E2  Lemma  11,  and  (1) 

(2)  ^1  ;K<C  ^2  U 

(3)  3^2  e  4*2  S.t.  tpi  iK<  1p2  U, 

that  is  ^2  =  ipi  =  chrome. history. search(jti,  idcb ,  query). 
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*2  =  %  "  V>2,  Ik<c  %  U 

By  (3),  HISTORY  1 

(4)  Mhistory  £  historiesi,  s.t.,  matchQuery {history,  query )  =  true, 

la bOf (/listen/)  Ckj  Ck 
history  |K=  history 
history  £  historiesi  Ik 

(5)  V history  £  histories 2,  s.t.,  matchQuery  (history  ,  query)  =  true, 

labOf (history')  C  ki  Q  k 
history'  |re=  history ’ 
history  £  historieS2  |K 

By  (4),  (5), ,  historiesi  lK<hst.rs  histories 2  |K,  HISTORIES 

(6)  historiesi  |K=  historiesi  Ik 
By  (3),  apply  historySearch  to  E2 

(7)  historiesi  =  histories2a  "  histories2b 

(8)  V history  £  histones 2a,  history  =  (id,  url,  name,  visitTime,  visitType,  Kh) 

matchQuery  (history,  query)  =  true 

Kh  E  Ki 

$history'  £  historiesi,  history'  =  (id' ,  url,  name,  visitTime  ,  visitType  ,  n'h),  history'  7^  history 
s.t.  visitTime'  is  later  than  visitTime  A  k'h  E  k 

(9)  V history  £  histories2b,  history  =  (id,  url,  name,  visitTime,  visitType,  Kh) 

matchQuery  (history,  query)  =  true 
Kh  E  k 

Bhistory'  £  histories2a,  history'  =  (id' ,  url,  name ,  visitTime' ,  visitType' ,  K,'h), 
s.t.  visitTime'  is  later  than  visitTime  A  k!h  E  Ki 

(10)  ^  =  r2[tf 2<=%\ 

(11)  fresh(ide2),  e2  =  (ide2,  idcb,  none,  histories2a,  «i) 

By  (A4),  (A5),  (8),  (9),  (4),  (5),  and  (6) 

(12)  historiesia  =  histories2a 
By  STATE,  (A6),  (10)  and  (3) 

(13)  S{U<S^lK 
By  (A7),  (11),  (12) 

(14)  ei  |K<  e2  |« 
sub-subcase  ii.  Ki  k 

By  BROWSERSTATE2,  Lemma  12 

(1)  V-i  i«=  ■ 

(2)  |k<c  Ipl  Ik 
By  STATE,  (A6),  and  (2) 

(3)  E(  IkE  2j1  Ik 
By  (A7),  EVENT2 

(4)  ei  |k=  • 

The  proofs  for  HISTORYGET VISITS  are  similar  to  the  proofs  for  this  rule, 
case:  historyAddURL 
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E  =  ('I',  •  •  • ,  histories,  ■  ■  •) 

::  chrome. history. add U rl («,  idcb,  (name,  url,  visitTime,  visitType )) 
histories'  =  histories  ::  history 

fresh(id)  history  =  (id,  url,  name,  visitTime,  visitType,  re) 

E1  =  .E7 [M/  <=  \E ’'([histories  <=  histories  ]  fresh(ide)  e  =  (ide,  idcb,  none,  history,  re) 
_  HIS1 

nextStateC(JC,  chrome. history. addUrl(re,  idcb,  (name,  url,  visitTime ,  visitType )))  =  E' ;  e 

Let  Si  =  (’Ll,  Tahsi,  ExtCoreRsi, progInjCSs1,  Exts\,  Cookiesi,  MB ookmarksi,  histories i,  UI\) 
S2  =  (tf^,  Tabs2,ExtCoreRs2,progInjCSs2,Exts2 ,  Cookies2,  MB ookmarks 2,  histories 2,  UI 2) 
By  assumptions 

(Al)  =  40  ::  0t 

(A2)  0  1  =  chrome. history. addllr^K!,  idcb,  (name,  url,  visitTime,  visitType)) 

(A3)  fresh(idi),  history1  =  (id  1,  url,  name,  visitTime,  visitType,  «i) 

(A4)  histories1  =  historiesi  ::  history1 
(A5)  S'i  =  XiD&i  4=  40]  [Wstonesi  4=  histories 
(A6)  fresh(idei),  e\  =  (idei,  idcb,  none,  history1,  «i) 
sub-subcase  i.  «i  C  re 
By  BROWSERSTATEl 

(1)  0i  4-«=  V’i 

By  4-«<  S2  \.K,  Lemma  11,  and  (1) 

(2)  $1  -U<c  $2  4-k 

(3)  3-02  G  ^2  S.t.  0i  |K<  02  Ik, 

that  is  02  =  0i  =  chrome. history. addUrl(rei,  (name,  url,  visitTime,  visitType)), 

^2  =  40  ::  ih,  *'i  l«<c  *2  4-« 

By  (A3),  HISTORY  1 

(4)  history  1  \.K=  history  1 

Apply  historyAddURL  to  S2 

(5)  fresh(id2),  history2  =  (id2,  url,  name,  visitTime,  visitType ,  «i) 

(6)  histories'2  =  historieS2  history2 

(7)  S2  =  S2  [4* 2  <=  ^'2][histories2  <=  histories 2] 

(8)  fresh(ide2),  e2  =  (ide2,  idcb,  none,  history2,  «i) 

By  (A3),  (5),  (A4),  (6),  historiesi  ,J„c</istrs  histories2  | K 

(9)  history !  =  history  2 

(10)  histories \  <hstrs  histories' 2 
By  STATE,  (A5),  (7),  (3),  and  (10) 

(11)  S[U<S^U 

By  (A6),  (8),  (9),  event  1 

(12)  ei  lK<  e2  4-b 
sub-subcase  ii.  rei  re 

By  BROWSERSTATE2,  Lemma  12 
(1)  01  !«  =  • 

(2)  40  lK<c  0i  lK 
By  HISTORY2 

(3)  history  1  |K=  • 

(4)  histories \  i^hstrs  historiesi 
By  STATE,  (A5),  (2),  and  (4) 

(5)  E(  Ei  \.K 
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By  (A6),  EVENT2 

(6)  e.\  iK=  ■ 


case:  historyDeleteURL 

E  =  ('L,  ■  •  • ,  histories ,  •  •  •) 

=  SR'  : :  chrome. history. deletellrl(re,  idcb,  url)  histories  =  historiesi  ::  historieS2 

V history  £  historiesi 
history  =  (_  ,  url, 

K  C  Kh 

$history  £  histories2 ,  s.t.  history  =  (_  ,  url,  Kh)  A  k  C  Kh 

E'  =  E[\ L  <=  \E ’’^histories  4=  histories2 ] 
e  =  ( ide ,  idcb,  none.  void,  re) 

- - - - - - - — - - - HISTORY 

nextStateC)!?,  chrome. history. deleteUrl(re,  idcb,  url))  =  E  ;  e 

Let  E\  =  (’Ll,  Tabsi,  ExtCoreRsi, proglnjCSsi,  Extsi,  Cookiesi,  MB ookmarksi,  historiesi,  UI i) 
E2  =  (4,2>  Tabs2,  ExtCoreRs2,  progInjCSs2,  ExtS2,  Cookies2,  MBookmarks 2,  histories 2,  UI 2) 

By  assumptions 

(Al)  L,  =  L)  ::  t/’i 

(A2)  ipi  =  chrome. history. deleteUrl(rei,  idcb ,  url) 

(A3)  historiesi  =  historiesia  ::  historiesib 
(A4)  V history  £  historiesia 
history  =  (_  ,  url, 

Ki  C  Kh 

(A5)  $ history  £  historiesib,  s.t.  history  =  (_  ,  url,  re^)  A  K1C4 

(A6)  =  A7i [SR  1  <t=  'ifr'1][historiesi  •£=  histories ib\ 

(A7)  fresh(idei),  ei  =  (idel,  idcb,  none,  void,  rei) 

sub-subcase  i.  rei  C  re 

By  BROWSERSTATEl 

(1)  Vh  1*=  V’i 

Byra  K  <  E‘2  4-k,  Lemma  11,  and  (1) 

(2)  'Ll  |K<C  <L2 

(3)  3ip2  S  <L2  s.t.  ^1  4-k<  ^2 

that  is  V>2  =  V’i  =  chrome. history. deletel)rl(rei,  urZ), 

^2  =  'Ls  ::  V»2.  ^1  l«<c  ^2  4-k 

Apply  historyDeleteURL  to  E2 

(4)  historieS2  =  historieS2a  ”  historieS2b 

(5)  Mhistory  £  histories2a 

history  =  (_  ,  url,  reft) 

Ki  C  Kh 

(6)  $ history  £  histories2b,  s.t.  history  =  (_  ,  url,  re^,)  A  Ki  C  re/, 

(7)  E2  =  E2  ['E'2  4=  iL2][/iJstones2  •<=  histories2b } 

(8)  fresh(ide2),  e2  =  [ide2,  idcb,  none,  void,  rei) 

By  (A4),  (5),  historyL  history2,  historiesi  ln<hstrs  histories2  4-K 

(9)  historiesi  4,k=  histories2  Vk 

(10)  Vhistory  £  historiesia,  s.t.,  labOf [history)  C  re 

3 history  £  histories2a ,  s.t.,  history  \.K=  history 

(11)  \/history  £  histories2a,  s.t.,  labOf  (history)  C  re 
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3history'  £  histories\a ,  s.t.,  history  4-K=  history1 

(12)  historiesia  4_K=  historieS2a  4-« 

(13)  histories u  4-K=  histories2b  Ik 

(14)  histories u  iK<hstrs  histories 2b  Ik 
By  STATE,  (A6),  (7),  (3),  and  (14) 

in)  u< 

By  (A7),  (8),  EVENT  1 
(12)  ei  ^2  ■I'K 

sub-subcase  ii.  Ki  k 

By  BROWSERSTATE2,  Lemma  12 

(1)  1p[  Ik=  ■ 

(2)  4^  |K<C  i/ji  \,K 
By  HISTORY2  ,  HISTORIES 

(3)  history la  fK=  ■ 

(4)  histories u  iK<hstrs  historiesi 
By  STATE,  (A6),  (2),  and  (4) 

(5)  E[  Si  lK 

By  (A7),  EVENT2 

(6)  ei  fK=  ■ 

case:  NewTab 

fresh(idt,  idd,  ide i,  ide 2)  E  =  (4>,  Tabs,  ■  ■  •) 

41  =  4/'  ::  chrome. tabs. create(r«,  idcb,  (idw ,  positionlndex ,  url,  activeFlag ,  pinnedBoolean,  idparentTab )) 
t  =  ( idt ,  ■,  url,  ■,  ■,  k^C)  iji'  =  readyToFetchDoc(idt,  idd,  ■,  idd,  url) 

E'  =  27[41  -t=  4''  ::  %f][Tabs  <*=  Tabs  ::  i]  £  =  (idei,  tabs. onCreated,  none,  info1,  k) 

::  (ide 2,  idcb ,  none,  getlnfo(t),  n) 

nextStateC(27,  chrome. tabs. create(rc,  idcb,  (id w ,  positionlndex ,  url,  activeFlag ,  pinnedBoolean,  idparentTab )))  =  S' ,  < 

Let  Ei  =  (4/!,  Tabsi,  ExtCoreRsi, progInjCSs1,  Extsi,  Cookiesi,  MB ookmarksi,  historiesi,  UIi ) 

S2  =  (4/2,  Tabs2,ExtCoreRs2,progInjCSs2,ExtS2,  Cookies2,  MBookmarks 2,  histories 2,  UI2) 

By  assumptions 

(Al)  fresh(idt,idd,idei,ide  2) 

(A2)  4-!  =  4/"  ::  ifi 

ipi  =  chrome. tabs. create^,  idcb,  (id w ,  positionlndex ,  url,  activeFlag ,  pinnedBoolean,  idparentTab )) 

(A3)  ti  =  (idt,-,url,-,-,nfC) 

(A4)  =  readyToFetchDoc(K,  idt,  idd >  •>  idd ,  url ) 

(A5)  E{  =  Eil^i  <=  4/"  ::  ^[Tabsi  <=  Tabsi  ::  h] 

(A6)  £1  =  (id ei,  tabs. onCreated,  none,  info1,  ni)  ::  (ide2,  idcb,  none,  getlnfo(t),  Ki) 

sub-subcase  i,  Ki  C  k 

By  BROWSERSTATEl 

(1)  Vr  -U=  4>i,  ipi  g  4»i 
By  4<i  4,k<c  4-2  Ik,  (1) 

(2)  3-02  G  ^2  U,  S.t.  ifi  Ik<  namely  -if2  =  Vt 

Apply  newTab  to  E2 

(3)  ip2  =  ipi  =  chrome. tabs. create^,  idcb,  (idw,  positionlndex ,  url,  activeFlag ,  pinnedBoolean,  idparentTab )) 

(4)  fresh  (id  t2,  idd2 ,  ide'i,  ide  2)  =  fresh(idt,  idd,  ide  1;  ide2 ) 

(5)  t2  =  (idt2,-,url,-,-,K^C)  =  ti 


NewTab 
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(6)  ip2  =  readyToFetchDoc(*dt2,  idd2 >  •>  *d<22>  Mr0  =  V’i 

(7)  27'  =  r2[Ls  4=  L"  ::  ^2][Ta6s2  4=  To6s2  ::  fcj 

(8)  £2  =  (id ei,  tabs. onCreated,  none,  info1,Ki)  ::  (*de2,  idcb,  none,  getlnfo(i2),  m)  =  £\ 

By  Lemma  1 1 

(9)  ’&'/  ;K<C  n  u 

By  (6),  (9),  10 

(10)  (L"  ::  V’i)  l«<c  (*£  "  V’i)  Ik 
By  (5),  Tabs\  |K<  Tabs2  |K 

(11)  Tabs  1  ::  ii  |K<  Ta&s2  ::  i2  |K 
By  (10), (1 1),  (A5),  (7),  STATE 

(12)  E[U<^U 

By  (8) 

(13)  £i|k<£2|k 

sub-subcase  ii.  ki^k 
By  (A3),  tab3 

(1)  kU=- 

(2)  Tabsi  ::  t\  |K<  Tabs  1  |K 
By  (A2),  (A4),  Lemma  1 1,  Lemma  10 

(3)  L"  ::  V’i  |K<C  'Ll  |K 
By  (2),  (3),  (A5),  STATE 

(4)  27{  |k^  Ei  Ik 
By  (A6),  EVENT2 

(5)  £1  |K=  • 

case:  EableDisableExtI(a) 

E  —  (L,  Tabs ,  Exts  ::  Ext,  ExtCoreRs,  ■  ■  •) 

L  =  L'  ::  chrome. management. setEnabled(rc,  idcb,  ( string ,  id,  idext,  activeFlag )) 

Ext  =  (idext,  ExtCore,  ■  ■  ■ ,  activeFlag,  i\)  k  ^  l\ 
nextStateC(27,  chrome. management. setEnabled(K,  idcb,  ( string ,  id,  idext,  activeFlag )))  =  27[L  <$=  'L/],  • 

Let  i7i  =  (d/i,  Tabsi,  ExtCoreRsi,  progInjCSs1,  Extsi,  Cookiesi,  MBookmarksi,  historiesi,  UI\) 

U2  =  (L2,  Tabs2,  ExtCoreRs2,  progInjCSs2,  Exts2,  Cookies2,  MB ookmarks2,  histories 2,  UI2 ) 

By  assumptions 

(Al)  Exti  =  (id ext,  ExtCore\,ExtCSs\,  Storage1,x,  activeFlag,  £) 

(A2)  Ext  1  €  Exts  1 

(A3)  Li  =  L"  ::  V’i 

(A4)  «!  %  ix* 

(A5)  ip  1  =  chrome. management. setEnabled(rci,  idcb,  (string,  id,  idext,  activeFlag)) 

(A6)  i7(  =  27i[Li  L"] 

(A7)  £(  =  ■ 

sub-subcase  i.  k\  C  k,  i\~  C  k 
By  browserstateI 

(1)  V’i  Ik=  V’i.  V’i  €  ^1  Ik 
By  Li  |K<C  L2  |k,  (1) 

(2)  3ip2  e  L2  |k,  s.t.  V’i  Ik<  Ip2  Ik.  namely  1 ip2  =  V’i 

(3)  L2  =  L"  ::  ^2 
By  Exts  I  |K<  Exts2 


EnableDisableExtI(a) 
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(4)  3  Ext  2  €  Exts2 

s.t.  Ext2  =  ( idext ,  ExtCore2 ,  •  •  • ,  activeFlag ,  £i),  ExtCorei  <  ExtCore2 
By  (2),  (4),  apply  EnableDisableExtI(a)  to  E2 

(5)  ^  =  r2[4'2^^"],£2  =  - 

By  (A3),  (2),  (3),  i  ;«<c  <H2  ±K,  Lemma  11 

(6)  n  ;«<c  n  in 

By  state,  (A6),  (5) 

(7)  Ei  iK<  E2  in 
By  (A7),  (5) 

(8)  £\  in<  £2  in 

sub-subcase  ii.  k1  n  k,  £i~  %  k 

By  Lemma  1 1 

(1)  ’f"  4-k<c  ^1  U 

By  (A6),(l),  and  STATE 

(2)  E'l  in<  El  in 
By  (2)  and  E1  iK<  E2  iK 

(3)  E[  in<  E2  in 
By  (A7) 

(4)  £'1  J,K<  £2  in 

sub-subcase  iii.  ki  %  k. 

By  BROWSERSTATE2 


(1) 

ipi 

4'« 

(2) 

I'i 

-\<K,  = 

n  in 

By  (A6) 

(3) 

■i-K, — 

El  in<  E2  i, 

By  (A7) 

(4) 

% 

Ik< 

£2  in 

case:  EableDisableExtI(b) 


E  =  (4',  Tabs,  Exts  ::  Ext,  ExtCoreRs,  •  •  •) 

\H  =  \D7  ::  chrome. management. setEnabled(rc,  idct>,  ( string ,  id,  idext,  activeFlag)) 

Ext  =  (idext,  ExtCore,  ■  ■  • ,  activeFlag,  £1)  k  C  £1 
£2  =  K>tnt£  1  fresh(ide)  ei  =  (ide,  idcb,  none,  get  Info  (.Erf),  £2~) 

nextStateC(27,  chrome. management. setEnabled(ft,  idcb,  ( string ,  id,  idext,  activeFlag)))  =  A7 [SB  ei 


EnableDisableExt  1  (b  ) 


Let  Ei  =  (d/i,  Tabsi,  ExtCoreRsi, proglnjCSsi,  Extsi,  Cookiesi,  MB ookmarksi,  histories  1,  UIi) 

E 2  =  (d/2,  Tabs2,ExtCoreRs2,progInjCSs2,ExtS2,  Cookies2,  MB ookmarks 2,  histories 2,  UI2) 

By  assumptions 

(Al)  Exti  =  (idext,  ExtCorei,- activeFlag,  £1) 

(A2)  Ext  1  €  Exts  1 

(A3)  (Hi  =  tH"  ::  ip  1,  ipi  =  chrome. management. setEnabled(«i,  idcb,  (string,  id,  idext,  activeFlag)) 
(A4)  kiQ£i* 

(A5)  i'i  =K>tnt  £1 
(A6)  fresh(ide) 

(A7)  ei  =  (ide,  idcb,  none,  get\nfo(Exti),£'i~) 

(A8)  E(  =  Ei  [4/-,  4=  1]/'/] 

(A9)  £1  =  ei 


101 


sub-subcase  i.  K\  C  k,  l\  Q  n 
By  BROWSERSTATEl 

(1)  lK=  ipi,  i’l  e  ^1  iK 
By  1  4-k<c  ^2  Ik,  (1) 

(2)  3-02  G  ^2  Ik,  s.t.  i’l  Ik<  ^2  U-  namely  ip2  =  ipi 

ip2  =  chrome. management. setEnabled(Ki,  idcb ,  ( string ,  id,  idext,  activeFlag )) 

(3)  V2=*"::ip2 

By  Extsi  Exts2  \.K 

(4)  3Ext2  £  Exts2 

s.t.  Ext2  =  {idext,  ExtCore2,  ■  ■  ■ ,  activeFlag ,  ii),  ExtCorei  <  ExtCore2 
By  (A4),  (A5),  (2),  (4),  apply  EnableDisableExtI(B)  to  E2 

(5)  fresh{ide ) 

(6)  e2  =  {id e' ,  idcb,  none,  get\nfo(Ext2),£'1~)  =  ei 

(7)  l'  =  l2[^  2  «<=$"] 

(8)  £2  =  e2 

By  (A3),  (2),  (3),  'Ll  ;«<c  <L2  U,  Lemma  11 

(9)  n  u<c  n  U 

By  STATE,  (A8),  (7),  (9) 

(10)  Ei  E2  J.K 
By  (A9),  (6),  (8) 

(11)  £\  ),K<  £2  4,k 

sub-subcase  ii.  Ki  C  k,  i\~  %  k 

By  Lemma  1 1 

(1)  ’Ll  ;K<c  ’Ll  U 

By  (A8),(l),  and  STATE 

(2)  E[  4-k^  Li  \.k 
By  (2)  and  Ex  \.K<  E2  iK 

(3)  E’i  ),K<  E2 
By  EVENT2,  (A9) 

(4)  £i  ~Ik=  ' 
sub-subcase  iii.  %  k 

By  BROWSERSTATE2 

(1)  4>!  Ik=  ■ 

(2)  'Ll  Ik=  U 
By  (A4) 

(3)  E'i  ),K=  E\  iK<  L2  Ik 
By  (A5),  Ki  g  K,  EVENT2 

(4)  l2~  %  K 

(5)  £\  \-k —  Ci  — 
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